Evaluation systems and methods for coordinating software agents

ABSTRACT

A device, method, computer program product, and network subsystem are described for associating a first mobile agent with a first security policy and a second mobile agent with a second security policy or for providing a first agent with code for responding to situational information about the first agent and about a second agent and for evaluating a received message at least in response to an indication of the first security policy and to an indication of the second security policy or for deploying the first agent.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is related to and/or claims the benefit of theearliest available effective filing date(s) from the following listedapplication(s) (the “Priority Applications”), if any, listed below(e.g., claims earliest available priority dates for other thanprovisional patent applications or claims benefits under 35 USC §119(e)for provisional patent applications, for any and all parent,grandparent, great-grandparent, etc. applications of the PriorityApplication(s)). In addition, the present application is related to the“Related Applications,” if any, listed below.

PRIORITY APPLICATIONS

For purposes of the USPTO extra-statutory requirements, the presentapplication constitutes a continuation of U.S. patent application Ser.No. 11/640,448, entitled “EVALUATION SYSTEMS AND METHODS FORCOORDINATING SOFTWARE AGENTS”, naming Alexander J. Cohen, Edward K. Y.Jung, Royce A. Levien, Robert W. Lord and William Henry Mangione-Smithas inventors, filed 15 Dec. 2006, which is currently co-pending, or isan application of which a currently co-pending application is entitledto the benefit of the filing date.

For purposes of the USPTO extra-statutory requirements, the presentapplication constitutes a continuation of U.S. patent application Ser.No. 11/640,532, entitled “EVALUATION SYSTEMS AND METHODS FORCOORDINATING SOFTWARE AGENTS”, naming Alexander J. Cohen, Edward K. Y.Jung, Royce A. Levien, Robert W. Lord and William Henry Mangione-Smithas inventors, filed 15 Dec. 2006, which is currently co-pending, or isan application of which a currently co-pending application is entitledto the benefit of the filing date.

For purposes of the USPTO extra-statutory requirements, the presentapplication constitutes a continuation of U.S. patent application Ser.No. 11/640,531, entitled “EVALUATION SYSTEMS AND METHODS FORCOORDINATING SOFTWARE AGENTS”, naming Alexander J. Cohen, Edward K. Y.Jung, Royce A. Levien, Robert W. Lord and William Henry Mangione-Smithas inventors, filed 15 Dec. 2006, which is currently co-pending, or isan application of which a currently co-pending application is entitledto the benefit of the filing date.

For purposes of the USPTO extra-statutory requirements, the presentapplication constitutes a continuation of U.S. patent application Ser.No. 11/524,051, entitled “EVALUATION SYSTEMS AND METHODS FORCOORDINATING SOFTWARE AGENTS”, naming Alexander J. Cohen, Edward K. Y.Jung, Royce A. Levien, Robert W. Lord and William Henry Mangione-Smithas inventors, filed 19 Sep. 2006, which is currently co-pending, or isan application of which a currently co-pending application is entitledto the benefit of the filing date.

RELATED APPLICATIONS

None

The United States Patent Office (USPTO) has published a notice to theeffect that the USPTO's computer programs require that patent applicantsreference both a serial number and indicate whether an application is acontinuation, continuation-in-part, or divisional of a parentapplication. Stephen G. Kunin, Benefit of Prior-Filed Application, USPTOOfficial Gazette Mar. 18, 2003. The USPTO further has provided forms forthe Application Data Sheet which allow automatic loading ofbibliographic data but which require identification of each applicationas a continuation, continuation-in-part, or divisional of a parentapplication. The present Applicant Entity (hereinafter “Applicant”) hasprovided above a specific reference to the application(s) from whichpriority is being claimed as recited by statute. Applicant understandsthat the statute is unambiguous in its specific reference language anddoes not require either a serial number or any characterization, such as“continuation” or “continuation-in-part,” for claiming priority to U.S.patent applications. Notwithstanding the foregoing, Applicantunderstands that the USPTO's computer programs have certain data entryrequirements, and hence Applicant has provided designation(s) of arelationship between the present application and its parentapplication(s) as set forth above and in any ADS filed in thisapplication, but expressly points out that such designation(s) are notto be construed in any way as any type of commentary and/or admission asto whether or not the present application contains any new matter inaddition to the matter of its parent application(s).

If the listings of applications provided above are inconsistent with thelistings provided via an ADS, it is the intent of the Applicant to claimpriority to each application that appears in the Priority Applicationssection of the ADS and to each application that appears in the PriorityApplications section of this application.

All subject matter of the Priority Applications and the RelatedApplications and of any and all parent, grandparent, great-grandparent,etc. applications of the Priority Applications and the RelatedApplications, including any priority claims, is incorporated herein byreference to the extent such subject matter is not inconsistentherewith.

If an Application Data Sheet (ADS) has been filed on the filing date ofthis application, it is incorporated by reference herein. Anyapplications claimed on the ADS for priority under 35 U.S.C. §§119, 120,121, or 365(c), and any and all parent, grandparent, great-grandparent,etc. applications of such applications, are also incorporated byreference, including any priority claims made in those applications andany material incorporated by reference, to the extent such subjectmatter is not inconsistent herewith.

SUMMARY

An embodiment provides a method. In one implementation, the methodincludes but is not limited to signaling a first application relatingwith a first core and with a second core, aggregating information inresponse to data received after signaling the first application relatingwith the first core and with the second core and transmitting at least aportion of the information aggregated in response to the data receivedafter signaling the first application relating with the first core andwith the second core. In addition to the foregoing, other method aspectsare described in the claims, drawings, and text forming a part of thepresent disclosure.

An embodiment provides a computer program product. In oneimplementation, the computer program product includes but is not limitedto a signal-bearing medium bearing at least one of one or moreinstructions for signaling a first application relating with a firstcore and with a second core; one or more instructions for aggregatinginformation in response to data received after signaling the firstapplication relating with the first core and with the second core; andone or more instructions for transmitting at least a portion of theinformation aggregated in response to the data received after signalingthe first application relating with the first core and with the secondcore. In addition to the foregoing, other computer program productaspects are described in the claims, drawings, and text forming a partof the present disclosure.

In one or more various aspects, related systems include but are notlimited to circuitry and/or programming for effecting theherein-referenced method aspects, the circuitry and/or programming canbe virtually any combination of hardware, software, and/or firmwareconfigured to effect the herein-referenced method aspects depending uponthe design choices of the system designer.

An embodiment provides a system. In one implementation, the systemincludes but is not limited to circuitry for signaling a firstapplication relating with a first core and with a second core, circuitryfor aggregating information in response to data received after signalingthe first application relating with the first core and with the secondcore and circuitry for transmitting at least a portion of theinformation aggregated in response to the data received after signalingthe first application relating with the first core and with the secondcore. In addition to the foregoing, other system aspects are describedin the claims, drawings, and text forming a part of the presentdisclosure.

An embodiment provides a method. In one implementation, the methodincludes but is not limited to associating a first mobile agent with afirst security policy and a second mobile agent with a second securitypolicy and evaluating a received message at least in response to anindication of the first security policy and to an indication of thesecond security policy. In addition to the foregoing, other methodaspects are described in the claims, drawings, and text forming a partof the present disclosure.

An embodiment provides a computer program product. In oneimplementation, the computer program product includes but is not limitedto a signal-bearing medium bearing at least one of one or moreinstructions for associating a first mobile agent with a first securitypolicy and a second mobile agent with a second security policy and oneor more instructions for evaluating a received message at least inresponse to an indication of the first security policy and to anindication of the second security policy. In addition to the foregoing,other computer program product aspects are described in the claims,drawings, and text forming a part of the present disclosure.

In one or more various aspects, related systems include but are notlimited to circuitry and/or programming for effecting theherein-referenced method aspects, the circuitry and/or programming canbe virtually any combination of hardware, software, and/or firmwareconfigured to effect the herein-referenced method aspects depending uponthe design choices of the system designer.

An embodiment provides a system. In one implementation, the systemincludes but is not limited to circuitry for associating a first mobileagent with a first security policy and a second mobile agent with asecond security policy and circuitry for evaluating a received messageat least in response to an indication of the first security policy andto an indication of the second security policy. In addition to theforegoing, other system aspects are described in the claims, drawings,and text forming a part of the present disclosure.

An embodiment provides a method. In one implementation, the methodincludes but is not limited to providing a first agent with code forresponding to situational information about the first agent and about asecond agent and deploying the first agent. In addition to theforegoing, other method aspects are described in the claims, drawings,and text forming a part of the present disclosure.

An embodiment provides a computer program product. In oneimplementation, the computer program product includes but is not limitedto a signal-bearing medium bearing at least one of one or moreinstructions for providing a first agent with code for responding tosituational information about the first agent and about a second agentand one or more instructions for deploying the first agent. In additionto the foregoing, other computer program product aspects are describedin the claims, drawings, and text forming a part of the presentdisclosure.

In one or more various aspects, related systems include but are notlimited to circuitry and/or programming for effecting theherein-referenced method aspects, the circuitry and/or programming canbe virtually any combination of hardware, software, and/or firmwareconfigured to effect the herein-referenced method aspects depending uponthe design choices of the system designer.

An embodiment provides a system. In one implementation, the systemincludes but is not limited to circuitry for providing a first agentwith code for responding to situational information about the firstagent and about a second agent and circuitry for deploying the firstagent. In addition to the foregoing, other system aspects are describedin the claims, drawings, and text forming a part of the presentdisclosure.

An embodiment provides a method. In one implementation, the methodincludes but is not limited to signaling a first application relatingwith a first core and with a second core and signaling via a third corea partial service configuration change at least in the first core inresponse to data received after signaling the first application relatingwith the first core and with the second core. In addition to theforegoing, other method aspects are described in the claims, drawings,and text forming a part of the present disclosure.

An embodiment provides a computer program product. In oneimplementation, the computer program product includes but is not limitedto a signal-bearing medium bearing at least one of one or moreinstructions for signaling a first application relating with a firstcore and with a second core and one or more instructions for signalingvia a third core a partial service configuration change at least in thefirst core in response to data received after signaling the firstapplication relating with the first core and with the second core. Inaddition to the foregoing, other computer program product aspects aredescribed in the claims, drawings, and text forming a part of thepresent disclosure.

In one or more various aspects, related systems include but are notlimited to circuitry and/or programming for effecting theherein-referenced method aspects, the circuitry and/or programming canbe virtually any combination of hardware, software, and/or firmwareconfigured to effect the herein-referenced method aspects depending uponthe design choices of the system designer.

An embodiment provides a system. In one implementation, the systemincludes but is not limited to circuitry for signaling a firstapplication relating with a first core and with a second core andcircuitry for signaling via a third core a partial service configurationchange at least in the first core in response to data received aftersignaling the first application relating with the first core and withthe second core. In addition to the foregoing, other system aspects aredescribed in the claims, drawings, and text forming a part of thepresent disclosure.

An embodiment provides a method. In one implementation, the methodincludes but is not limited to displaying a portion of a data structureand deciding whether to update the data structure in response to aninter-core linkage and to input received after displaying the portion ofthe data structure. In addition to the foregoing, other method aspectsare described in the claims, drawings, and text forming a part of thepresent disclosure.

An embodiment provides a computer program product. In oneimplementation, the computer program product includes but is not limitedto a signal-bearing medium bearing at least one of one or moreinstructions for displaying a portion of a data structure and one ormore instructions for deciding whether to update the data structure inresponse to an inter-core linkage and to input received after displayingthe portion of the data structure. In addition to the foregoing, othercomputer program product aspects are described in the claims, drawings,and text forming a part of the present disclosure.

In one or more various aspects, related systems include but are notlimited to circuitry and/or programming for effecting theherein-referenced method aspects, the circuitry and/or programming canbe virtually any combination of hardware, software, and/or firmwareconfigured to effect the herein-referenced method aspects depending uponthe design choices of the system designer.

An embodiment provides a system. In one implementation, the systemincludes but is not limited to circuitry for displaying a portion of adata structure and circuitry for deciding whether to update the datastructure in response to an inter-core linkage and to input receivedafter displaying the portion of the data structure. In addition to theforegoing, other system aspects are described in the claims, drawings,and text forming a part of the present disclosure.

An embodiment provides a method. In one implementation, the methodincludes but is not limited to obtaining an inter-core linkage inassociation with a tabular data object and deciding whether to updatethe tabular data object in response to the inter-core linkage obtainedin association with the tabular data object. In addition to theforegoing, other method aspects are described in the claims, drawings,and text forming a part of the present disclosure.

An embodiment provides a computer program product. In oneimplementation, the computer program product includes but is not limitedto a signal-bearing medium bearing at least one of one or moreinstructions for obtaining an inter-core linkage in association with atabular data object and one or more instructions for deciding whether toupdate the tabular data object in response to the inter-core linkageobtained in association with the tabular data object. In addition to theforegoing, other computer program product aspects are described in theclaims, drawings, and text forming a part of the present disclosure.

In one or more various aspects, related systems include but are notlimited to circuitry and/or programming for effecting theherein-referenced method aspects, the circuitry and/or programming canbe virtually any combination of hardware, software, and/or firmwareconfigured to effect the herein-referenced method aspects depending uponthe design choices of the system designer.

An embodiment provides a system. In one implementation, the systemincludes but is not limited to circuitry for obtaining an inter-corelinkage in association with a tabular data object and circuitry fordeciding whether to update the tabular data object in response to theinter-core linkage obtained in association with the tabular data object.In addition to the foregoing, other system aspects are described in theclaims, drawings, and text forming a part of the present disclosure.

An embodiment provides a method. In one implementation, the methodincludes but is not limited to receiving information from a remote agentlocally and responding to the locally received information from theremote agent by deciding whether to signal a change of a securityconfiguration of the remote agent. In addition to the foregoing, othermethod aspects are described in the claims, drawings, and text forming apart of the present disclosure.

An embodiment provides a computer program product. In oneimplementation, the computer program product includes but is not limitedto a signal-bearing medium bearing at least one of one or moreinstructions for receiving information from a remote agent locally andone or more instructions for responding to the locally receivedinformation from the remote agent by deciding whether to signal a changeof a security configuration of the remote agent. In addition to theforegoing, other computer program product aspects are described in theclaims, drawings, and text forming a part of the present disclosure.

In one or more various aspects, related systems include but are notlimited to circuitry and/or programming for effecting theherein-referenced method aspects, the circuitry and/or programming canbe virtually any combination of hardware, software, and/or firmwareconfigured to effect the herein-referenced method aspects depending uponthe design choices of the system designer.

An embodiment provides a system. In one implementation, the systemincludes but is not limited to circuitry for receiving information froma remote agent locally and circuitry for responding to the locallyreceived information from the remote agent by deciding whether to signala change of a security configuration of the remote agent. In addition tothe foregoing, other system aspects are described in the claims,drawings, and text forming a part of the present disclosure.

The foregoing summary is illustrative only and is not intended to be inany way limiting. In addition to the illustrative aspects, embodiments,and features described above, further aspects, embodiments, and featureswill become apparent by reference to the drawings and the followingdetailed description.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 depicts an exemplary environment in which one or moretechnologies may be implemented.

FIG. 2 depicts a high-level logic flow of an operational process.

FIG. 3 depicts an exemplary environment in which one or moretechnologies may be implemented.

FIGS. 4-9 depict high-level logic flows of other operational processes.

FIGS. 10-28 depict other exemplary environments in each of which one ormore technologies may be implemented.

FIGS. 29-32 depict variants of the flow of FIG. 4.

FIGS. 33-35 depict variants of the flow of FIG. 9.

FIGS. 36-37 depict variants of the flow of FIG. 8.

FIGS. 38-42 depict variants of the flow of FIG. 2.

FIGS. 43-44 depict variants of the flow of FIG. 5.

FIGS. 45-46 depict variants of the flow of FIG. 6.

FIGS. 47-49 depict variants of the flow of FIG. 7.

DETAILED DESCRIPTION

In the following detailed description, reference is made to theaccompanying drawings, which form a part hereof. In the drawings,similar symbols typically identify similar components, unless contextdictates otherwise. The illustrative embodiments described in thedetailed description, drawings, and claims are not meant to be limiting.Other embodiments may be utilized, and other changes may be made,without departing from the spirit or scope of the subject matterpresented here.

Referring now to FIG. 1, there is shown a view 130 of an exemplaryenvironment in which one or more technologies may be implemented. Asshown network 100 includes domain 140 including Application ServiceRouter (ASR) 145 optionally linked to admin station 115. Alternativelyor additionally, admin station 115 can be linked to application manager110 via control linkage 113. Domain 140 includes appnet 150 includingcore 151 and core 152 at least coupled by linkage 155, which can be avirtual or other channel between mutually remote sites, for example. Insome embodiments, an appnet includes at least a set of cores associatedwith an application (or a suite of applications), and may also includecircuitry, code, data, or the like. The cores may comprise processingcores or environments, simple communication cores, relays, or the like.

In some embodiments, a “core” refers to a processing core, a computer orprocessing environment, a network node, software or logic configured forprocessing data, active relay circuitry operable for handling data, orthe like. Likewise a data object can be “in” a core if it is at moreclosely associated with that core than with other cores, for example byvirtue of existing within one or more media of a hardware core or withina core's designated space allocation of memory or storage.

One or more of the cores 151, 152 in appnet 150 are coupled to ASR 145.One or more of the cores 151, 152 in appnet 150 can optionally interactwith client 120 via request linkage 123. Network 100 can (optionally)include one or more other appnets such as overlapping appnet 160. Appnet160 can include core 152 and core 163 at least, optionally coupled byopen database communication (ODBC) link 165 or the like. In someembodiments, one or more cores 152, 163 of appnet 160 can also beaccessible to client 120, such as by linkage 122. As shown, each ofappnets 150, 160 associates an application (or a cluster ofapplications) to groups of cores. For example, one or more label(s) 166(“Enterprise” or “Parts Catalog,” e.g.) can represent the application(s)of appnet 160 in view 130.

Referring now to FIG. 2, there is shown a high-level logic flow 200 ofan operational process. Operation 210 describes signaling a firstapplication relating with a first core and with a second core (e.g. ASR145 signaling that appnet 150 contains a rendering applicationdistributed across network cores 151, 152). Alternatively oradditionally, operation 210 can include signaling such a distributedapplication via a direct or indirect path. In some embodiments,operation 210 can include storing or transmitting an indication of arelationship between the application and the cores, optionally as one ormore messages that also indicate features of the relationship. Thefeatures can include names or other handles of processes, resources, orcontrols affecting or effectuating the application at one or more of thecores, for example. In some embodiments, an application comprisessoftware or firmware that employs the capabilities of circuitry forperforming a user-assigned task or some other task that some operatingsystems might not perform.

Flow 200 includes operation 210—signaling a first application relatingwith a first core and with a second core (e.g. admin station 115reporting a complete topography of appnet 150 via control linkage 113).Portions of this topography can be omitted for brevity, of course, insome embodiments. Alternatively or additionally, in various embodimentsas described below, operation 210 can likewise be performed by ASR 145or by various combinations shown in FIGS. 11 and 26.

Flow 200 further includes operation 220—signaling via a third core apartial service configuration change at least in the first core inresponse to data received after signaling the first application relatingwith the first core and with the second core (e.g. admin station 115 orASR 145 signaling a process suspension or restart in core 151 responsiveto an instruction from application manager 110 after operation 210).Signaling the process suspension can include triggering or displaying anindication of the suspension or restart (via ASR 145 or control linkage113, e.g.).

Referring now to FIG. 3, there is shown an exemplary environment inwhich one or more technologies may be implemented. Network 300 includesdomain 301 including subsystem 302 and appnet 350 linked by channel 303or otherwise able to communicate with each other. (It will be understoodby those skilled in the art that a common channel such as a system busis shown for convenience, but that coupling arrangements of comparableeffectiveness between or among the recited items can be formed in othertypes of structures such as direct conduits. See, e.g., FIG. 17.)Subsystem 302 can include one or more of signaling modules 311, 321; oneor more aggregation modules 312, 322, one or more transmission modules313, 323, or one or more types of interface 325. Appnet 350 includes twoor more cores 391, 392 jointly containing one or more apps 397, 398 eachwith one or more processes 394, one or more controls 395, or one or moreresources 396 in each of the cores as shown. As shown, resources 314 caninclude implementer 370 or data handler 390 able to store or otherwisehandle data 331. Aggregation module 312 can include one or more ofreceiver 319 or aggregator 330. Transmission module 313 can include oneor more of extractor 374 or transmitter 388.

Referring now to FIG. 4, there is shown a high-level logic flow 400 ofan operational process. Operation 210—signaling a first applicationrelating with a first core and with a second core (e.g. signaling module311 signaling that appnet 350 contains an encoding applicationdistributed across cores 391, 392). The signaling can include sending asignal to or about the application or the fact or manner of relating,for example.

Flow 400 further includes operation 450—aggregating information inresponse to data received after signaling the first application relatingwith the first core and with the second core (e.g. aggregation module312 logging event indications according to one or more criteria receivedby receiver 319 after signaling module 311 signals appnet 350). In someembodiments, aggregating can comprise gathering the information overtime, or from more than one source, into a unified or other accessiblestructure. Those skilled in the art will recognize a variety ofaggregation rules that can be adapted for such embodiments without undueexperimentation. Receiver 319 can receive event types, timestamps, errorindications or the like from data 331 locally or from interface 325, forexample, as the one or more criteria.

Flow 400 further includes operation 460—transmitting at least a portionof the information aggregated in response to the data received aftersignaling the first application relating with the first core and withthe second core (e.g. transmission module 313 sending a selection of theabove-referenced event indications as a plot to interface 325). The plotcan include an activity level index plotted against time, for example,or any other scatter plot of correlated measurements or other figures ofmerit. Alternatively or additionally, portions of operation 460 can beperformed before, during, or in alternation with operations 210, 220,and 450 in some embodiments.

Referring now to FIG. 5, there is shown a high-level logic flow 500 ofan operational process. Operation 580—displaying a portion of a datastructure (e.g. an interface showing less than all of a message, tableor the like via a mechanism such as a display screen). In someembodiments, the portion can show a single scalar value or severalfields in a common record. Alternatively or additionally, formattinginformation such as menu options or other labels can be displayedsimultaneously. See, e.g., FIGS. 22 & 23.

Flow 500 further includes operation 590—deciding whether to update thedata structure in response to an inter-core linkage and to inputreceived after displaying the portion of the data structure (e.g. adecision module or the like deciding whether to update a file partlybased on a linkage to another core within the file and partly based on auser's response to the displayed portion). In some embodiments, an“inter-core linkage” can refer to a hardware or software configurationcausing data in a first core to affect data in a second core by virtueof a continuous, synchronous, responsive, or other systematic updatemechanism. Alternatively or additionally, the input can include timingsignals, for example, so that a default value can be used in response toa user's failure to provide the input promptly.

Referring now to FIG. 6, there is shown a high-level logic flow 600 ofan operational process. Operation 610 describes obtaining an inter-corelinkage in association with a tabular data object (e.g. a linkage moduleor the like creating or otherwise defining a linkage between a localdata object and another core's data object to pull or push data throughthe linkage, maintaining a relationship between the data objects). Insome embodiments, “tabular” data refers to groupings of decimal, text,or other spreadsheet-type data for use in columns and rows ofuser-symbol-containing cells. It also refers to other data at leastpartly based on such tabular data (e.g. totals or charts), to formatdata usable with such tabular data (e.g. font information), or toformulas or other logic responsive to other tabular data. Operation 620describes deciding whether to update the tabular data object in responseto the inter-core linkage obtained in association with the tabular dataobject (e.g. a link management module maintaining the above-describedrelationship by pulling or pushing data through the linkage). See, e.g.,FIGS. 22 & 23.

Referring now to FIG. 7, there is shown a high-level logic flow 700 ofan operational process. Operation 710—receiving information from aremote agent locally (e.g. a receiving module receiving a filecontaining malware or some other status-indicative signal from an agentvia an internet hub). In some embodiments described in this document, an“agent” can be an application or other software object able to decideupon an action to perform based upon a history of its observations inits environment. An agent can be “mobile” if it includes at least aportion that could make such a decision even after being dispatched intoone or more remote cores. Flow 700 further includes operation720—responding to the locally received information from the remote agentby deciding whether to signal a change of a security configuration ofthe remote agent (e.g. a decision module responding to a long series oftimely heartbeat signals by signaling a removal of a security protocolat the remote agent). See, e.g., FIG. 19.

Referring now to FIG. 8, there is shown a high-level logic flow 800 ofan operational process. Operation 880—providing a first agent with codefor responding to situational information about the first agent andabout a second agent (e.g. agent configuration circuitry programming thefirst agent for reacting to the situation of the first agent and that ofother agents). Flow 800 further includes operation 890—deploying thefirst agent (e.g. agent deployment circuitry causing the first agent tobecome active locally or remotely). See, e.g., FIG. 25.

Referring now to FIG. 9, there is shown a high-level logic flow 900 ofan operational process. Operation 960—associating a first mobile agentwith a first security policy and a second mobile agent with a secondsecurity policy (e.g. policy association circuitry identifying eachagent's policies with a corresponding agent handle). In someembodiments, the respective security policies may include commonattributes or components. Flow 900 further includes operation970—evaluating a received message at least in response to an indicationof the first security policy and to an indication of the second securitypolicy (e.g. evaluation circuitry using the policy indications to employmore safeguards for messages arriving from agents fewer safeguards, andvice versa). Such security policy indications can facilitate messageevaluation in some embodiments, signaling at least an aspect of risk orother meaning in the received message. A null, outdated, or otherwiseweaker second security policy can signify a higher risk in relying onthe second mobile agent, for example. This can bear toward trustingmessages from the first mobile agent, distrusting messages that mighthave been affected by the second mobile agent, dispatching one or moreadditional agents with better security, responding to messages from thesecond mobile agents with a special instruction, or the like. (Thespecial instruction may instruct the second mobile agent to terminate,accept a configuration upgrade, provide provenance or messagecertification, suspend action, or the like.) See, e.g., FIG. 21.

Referring now to FIG. 10, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown FIG. 10shows domain 1000 implementing at least five tiers 1001, 1002, 1003,1004, and 1005. Tier 1001 includes at least module 1011, module 1014,and module 1019, each of which comprises a highest-level control moduleof a respective application. Likewise, as shown, tier 1002 includesmodules 1021-1029, tier 1003 includes modules 1031-1039, tier 1004includes modules 1041-1049, and tier 1005 includes modules 1051-1059.Module 1019 links via control relationship or other linkage 1007 withone or more lower-tier modules, as shown, as does each of the othermodules in tiers 1001-1004.

Each of tiers 1001-1005 may be implemented either in software or inhardware. In some embodiments, successive tiers may comprise a hardwarelayer and a software layer configured to operate within the hardwarelayer. In an embodiment in which tier 1002 comprises a software layer,for example, module 1024 can be an application that is distributedbetween cores of a hardware layer (e.g. modules 1033, 1034 of tier1003). Alternatively or additionally, successive tiers may comprisehardware layers in some embodiments. This can occur, for example, in animplementation in which modules 1019, 1029 are circuitry coupled by asignal or other control path as linkage 1007. Alternatively oradditionally, successive tiers may each comprise protocol or softwarelayers in some embodiments. This can occur, for example, in animplementation in which modules 1033, 1034 each comprise functions,subroutines, or other logic that can be invoked by module 1024. Also asshown, tier 1002 can include cluster 1095 and domain 1000 can includeappnet 1062, explained below in reference to FIG. 32.

Those skilled in the art will recognize that a multi-tier architecturesuch as that of FIG. 10 can enhance control part or all of a network orapplication in a variety of cases. Even where a single critical rolecannot be divided, for example, domain performance can be enhanced bydividing a role between modules on a nearby tier. Sharing a role betweenmodules 1033 & 1034 can provide for load balancing or redundancy, forexample, so that fewer bottlenecks occur at module 1044 and module 1055.Various techniques for sharing a role, suitable for use in systems likedomain 1000, are taught in U.S. patent application Ser. No. 11/445,503(“Partial Role or Task Allocation Responsive to Data-TransformativeAttributes”), incorporated by reference to the extent not inconsistentherewith. Other suitable techniques are known to those skilled in theart.

In some implementations, the constructs defined in domain 1000 canfacilitate an orderly change in a succession of (hardware or software)modules. Many updates or other actions can primarily be characterized as“appnet-type” actions, such as those pertaining to changes primarily tomodules within a single appnet. Another type of “appnet-type” action canarise when a change can affect more than one appnet but in which oneupdate is of primary significance to a given group (tier 1005, e.g.) oruser (see FIG. 14, e.g.).

Another class of updates can primarily be characterized as “tier-type”actions, those pertaining to changes primarily to modules within asingle tier, or to modules within a given tier of a given appnet (e.g.to modules 1024-1026). Those skilled in the art will recognize thatsubstantially any of the operations described below can optionally beimplemented in a tier-type or appnet-type action for ease of managementwithin a domain or platform (see FIG. 13, e.g.).

Referring now to FIG. 11, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown system 1100includes processor 1130 configured to interact with dispatcher 1110 viaqueue 1103. Processor 1130 can include stack 1135, optionally includinghandler dispatcher 1136 configured for selectively accessing anddispatching one or more protocol handlers 1131, 1132. As shown, handlerdispatcher 1136 has dispatched protocol handler 1131 by configuring itto support Intermediate Processing Center (IPC) 1138 of process 1139.

In some embodiments, dispatcher 1110 can likewise interact with cache1151 via queue 1105. Cache 1151 can likewise be used for retrieving datafrom or writing data to storage 1154. Alternatively or additionally,dispatcher 1110 can interact with Network Interface Circuit (NIC) 1168,configured for sending or receiving messages 1161 via medium 1170. Insome embodiments, NIC 1168 can access memory 1166 through Direct MemoryAccess (DMA) 1163. Alternatively or additionally, one or more of thequeues 1103, 1105, 1106, 1108 can reside in memory 1166.

In some embodiments, dispatcher 1110 can control Route Control Processor(RCP) 1180 directly, or can interact with application processor 1189 viaqueue 1108 as shown. Application processor 1189 can (optionally) includeengine dispatcher 1185 configured to handle information resourcesselectively via one or more of Runtime Engines (RTE's) 1186, 1187, 1188.As shown application processor 1189 can access one or more of factsdictionary 1181, priority criteria 1182, or routing table 1183successively or otherwise as necessary so that information can flow fromeach or all to route control processor 1180.

In some embodiments, dispatcher 1110 is configured for logical routingby which application processor 1189 sends a message using a logicaldestination identifier. Facts dictionary 1181 can identify a suitablenode identifier consistent with the logical destination, if any suchidentifier is available. Otherwise application processor 1189 canrequest that dispatcher 1110 request a knowledge base update via queue1106, optionally with an update request that includes the logicaldestination. Application processor 1189 can use the response to generateeither a suitable node identifier or an error indication. In a scenarioin which the suitable node identifier is found, a physical route to thetable is found (from facts dictionary 1181, e.g.) and written intorouting table 1183. Those skilled in the art will recognize a variety ofprotocols and contexts with which system 1100 can operate, an example ofwhich is shown in FIG. 12.

Referring now to FIG. 12, there is shown another exemplary environmentin which one or more technologies may be implemented. As shownsignal-bearing medium 1270 (such as an optical fiber, wire, or freespace medium, e.g.) including at least one message 1210. Message 1210can include one or more of transport header 1230, physical header 1240,a physical payload 1250 of one or more event(s) 1252, or one or moreadditional section headers 1264, 1266. Section headers 1264, 1266 caninclude multimedia message extension (MIME) headers or the like, forexample. Alternatively or additionally, event(s) 1252 can each include arespective logical header 1254 or logical payload 1256, with the latteroptionally including one or more of app header 1257 or app payload 1258.App payload 1258 can include parameters and other controls, agent codeor service code modules or updates, data for use by an application orother service, service metadata or the like. In some embodiments, apppayload 1258 can comprise part or all of a computer program product asdescribed herein, for example, such as modules configured to perform oneor more variants as described below in reference to FIGS. 29-49.

Referring now to FIG. 13, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown platform1300 includes domain level 1310 and several optional implementationlevels that can (optionally) include one or more of appnet level 1320,group level 1330, server level 1340, deployment level 1350, or the like.In one implementation, retail trading domain 1311 can include a tradeclearing appnet 1321 associating “Production Servers” group 1331 withone or more applications (at deployment level 1350, e.g.). “ProductionServers” group 1331 may include one or more of web server 1341 (tosupport “Node1” function 1351, e.g.) or database server 1342 (to support“Pricedb” function 1352 or “Accounts” function 1353, e.g.).

In a parallel implementation, trusts domain 1314 can (optionally)include a portal appnet 1324 associating development group 1334, whichmay (optionally) include one or more of database server 1342, web server1344 (to support “Get Content” function 1355, e.g.), or app server 1346(to support Critical Resource Management Interface function 1356, e.g.).As shown, each of web server 1344 or app server 1346 can likewiseinclude login function 1354. Platform 1300 thus illustrates how appnetimplementations as described herein can function within or amongnetworks to enable a variety of coexisting functions or specialists tomanage diverse and complex tasks effectively.

In some implementations, higher-level modules can be organizedschematically or physically as distinct objects with linkages to relatedlower-level modules. Linkage 1392 can link “Production Servers” group1331 to database server 1342 logically or physically, in variousembodiments, as can linkage 1393 between database server 1342 and the“Pricedb” module 1352. In some embodiments, two or more such linkagescan be grouped, for example, as a composite virtual linkage through anintermediate module (channel 1391 through database server 1342, e.g.).

Referring now to FIG. 14, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown system 1400includes logic by which one or more domains of super-user 1406 eachinclude appnets represented by respective one of the p columns1461-1465. Likewise one or more domains of integrator 1407 each includeappnets represented by a respective one of the q columns 1471-1478.Likewise one or more domains of operator 1408 each include appnetsrepresented by a respective one of the r columns 1481-1486. As shown inrow 1401, Command Set₁ includes many commands 1409, various subsets ofwhich are permissible in each of the respective appnets shown as columns1461-1486. As shown in row 1402, Command Set₂ likewise includes manycommands 1409 of which various subsets are permissible in each of therespective appnets shown as columns 1461-1478. As shown in row 1403,moreover, Command Set₃ includes many commands 1409 of which varioussubsets are permissible in each of the respective appnets shown ascolumns 1461-1465. None of the commands 1409 of Command Set₂ arepermissible for operator 1408, however, as shown by the fact that row1402 is blank in columns 1481-1486. Row 1403 is likewise blank incolumns 1471-1486, signifying that none of the commands 1409 of CommandSet₃ are permissible for integrator 1407 or operator 1408.

In some variants, one or more commands 1409 of Command Set₁ in a givenappnet can overlap with some or all of the commands 1409 in otherappnets. Alternatively or additionally, more or less than three sets ofcommands can be defined to provide coarser or finer resolution in entityclasses. Alternatively or additionally, one or more of the entities(e.g. super-user 1406, integrator 1407, or operator 1408 can be a mobileagent or a user assisted by a software agent. Alternatively oradditionally, a quantity of a domain's defined appnets (e.g. p, q, or r)can change dynamically, such as by deactivating an infrequently usedappnet or adding a newly-implemented appnet responsive to a userrequest. Appnets can likewise be modified or substituted, alternativelyor additionally, as described below.

In some variants, super-user 1406 or the like can perform several of thecommands 1409 of Command Set₃ in row 1403 as shown, in an embodiment inwhich appnet 160 implements AppNet₁ of column 1461. Alternatively oradditionally, ASR 145 can manage appnet 150 with application manager 110as super-user 1406 or integrator 1407, for example. Alternatively oradditionally, ASR 145 can manage appnet 160 with client 120 asintegrator 1407 or operator 1408 in a variety of scenarios andconfigurations as described in further detail herein in FIGS. 38-42.Optionally, domain 140 can be depicted to include label(s) 166 (such as“Enterprise” or other identity-indicative or status-indicativeinformation) for appnets or the like.

Referring now to FIG. 15, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown FIG. 15depicts network 1500 comprising directory manager 1520 (UDDI,metadirectory, search engine, or other existing directory mechanism,e.g.) linked with one or more of corporation 1570 and company 1580. Insome embodiments corporation 1570 comprises a core or network withseveral applications 1571, 1572, 1573 of which one can communicate withdirectory manager 1520 via linkage 1521. App 1571 can use linkage 1521for adding an entry for a new user, for example, or for otherregistration-type functions. Company 1580 comprises a network in whichdomain 1585 can (optionally) include directory 1586 and can interfacethrough linkage 1522 using software agent 1589 (decision guidancesoftware or other existing agent, e.g.). Domain 1585 can likewiseinteract with several appnets 1581, 1582, 1583, some of which canoptionally be configured to interact with entities outside company 1580such as through linkage 1523. As shown, appnets 1581, 1582, 1583 eachinclude one or more core groups 1564 of processor cores, communicationnodes, or the like. Domain 1585 likewise includes cores 1565 accessibleto software agent 1589. (Those skilled in the art will recognize thatcore groups 1564 and cores 1565 can overlap one another and can, in someconfigurations, include multi-network linkages, shared resources, mobileor other wireless cores, or the like.)

In some configurations, a scenario can occur in which app 1571 registersone or more of its attributes with directory manager 1520, for examplein order to accommodate a request from appnet 1581 or otherwise toestablish a more trusted status for itself. Directory 1586 can containtopological information about each of appnets 1581, 1582, 1583,including how an application of each relates to their respective coregroups 1564 as shown. In this case directory 1586 can perform operation210 by virtue of appnet 1581 having earlier signaled how its applicationrelates to its core groups 1564.

Software Agent 1589 can subsequently receive data relating toapplication 1571 (e.g. a reputation indicator of corporation 1570 or thelike), optionally as a response to a query from software agent 1589.Software agent 1589 can then perform operation 220 by signaling (viacores 1565) a configuration change to a security service of appnet 1581,causing appnet 1581 to enhance a trust in or otherwise interactdifferently with app 1571.

Referring now to FIG. 16, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown subsystem1600 includes core 1680 and core 1690 operatively linked, for example,by channel 1610 including inter-core linkage 1685. Core 1690 can(optionally) include one or more of remote agents 1692 or data structure1695 (including data objects 1696, e.g.). Core 1680 can include one ormore of receiving module 1620 (optionally including message parser 1623,e.g.), decision module 1650, or interface module 1660. Decision module1650 can (optionally) include one or more of security configurationmonitor 1651, integrity policy update logic 1653, preferenceimplementation logic 1654 or security control logic 1656. Securitycontrol logic 1656 can include one or more of remote security logic1657, threat indicators 1658, or request 1659. Subsystem 1600 can beconfigured to perform flow 500. This can occur, for example, inembodiments in which interface module 1650 is configured to performoperation 580, in which receiving module 1620 is configured to receivethe input, and in which decision module 1650 is configured to performoperation 590.

Referring now to FIG. 17, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown subsystem1700 can (optionally) include one or more of core 1781, core 1782, core1783, core 1784, core 1785, core 1786, or core 1787. Adjacent pairs ofthese cores (e.g. core 1781 with each of cores 1782-1787) are linked bypassive media 1712 as shown. Subsystem 1700 can also include one or moreof module 1751, module 1752, module 1753, module 1754, module 1755,module 1757, module 1758, or module 1759. Each of modules 1751-1759 caninclude one or more processes 1794, controls 1795, resources 1796, orpolicies 1797, some of which are shown. For example, module 1753 caninclude type one policy 1798, and module 1751 can include type twopolicy 1799. Module 1754 as shown includes at least one of each of thesepolicies 1798, 1799.

Referring now to FIG. 18, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown subsystem1800 includes code generation circuitry 1830 operatively coupled withchannel 1810 through communication circuitry 1840 with channel 1810.Code generation circuitry 1830 can include first memory 1850 (optionallyincluding a variant of module 1757 of FIG. 17) or second memory 1860.Second memory 1860 can include one or more of situational self-analysislogic 1861, transaction analysis logic 1862 or situationalclassification logic 1865. Subsystem 1800 can be configured to performflow 800. This can occur, for example, in embodiments in which module1757 is configured as the first agent, in which code generationcircuitry 1830 is configured to perform operation 880, and in whichcommunication circuitry 1840 is configured to perform operation 890.

Referring now to FIG. 19, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown network 1900includes local subsystem 1901 operatively coupled with remote core 1985through at least linkage 1911 of channel 1910. Linkage 1911 can(optionally) include a wireless communication medium or incorporateactive signal relay circuitry in some embodiments. Remote core 1985includes module 1758 with processes 1794, resource 1796, and policies1797. In some embodiments core 1785 implements remote core 1985. Localsubsystem 1901 can include at least receiving module 1920, resourcemodule 1960 or core control module 1990. Receiving module 1920 caninclude one or more of core description registry 1921, zonal registry1922, cost registry 1924, unpacking logic 1926 (optionally includingenvelope object 1927), service handle registry 1929, timingcertification logic 1930, data request logic 1937 or status registry1940. Timing certification logic 1930 can include criteria update logic1932 or timing criteria 1934 (optionally with one or more arrival timelimits 1935). Status registry 1940 can include one or more of agentstatus registry 1943, resource status registry 1945 or core statusregistry 1947. Resource module 1960 can include one or more of networkinterface 1961, transaction authorization logic 1962 (includingauthorization criteria 1963, e.g.), intrusion response logic 1965,routing logic 1968, or antenna 1969. Core control module 1990 caninclude one or more of core operating system controls 1991 or operatingsystem upgrade logic 1997.

Referring now to FIG. 20, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown channel 2060links subsystem 2050 of first network 2000 with second network 2100.Subsystem 2050 as shown can include module 1754 (with type one policy1798) and module 1755 (with type two policy 1799), optionally in aconfiguration like that of FIG. 17. Second network 2100 can includepolicy association module 2030 and evaluation module 2070 as shown.Policy association module 2030 can include one or more of associationlogic 2034 and associations 2035 (association agent identifiers 2036with policy definitions 2037 in a one-to-one association). Associations2035 can likewise include many-to-one or one-to-many associations.Evaluation module 2070 can include one or more of messages 2090 orevaluations 2099. Second network 2100 can be configured to perform flow900. This can occur, for example, in embodiments in which policyassociation module 2030 performs operation 960 and in which evaluationmodule 2070 performs operation 970.

Referring now to FIG. 21, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown subsystem2100 includes policy association module 2130, resources 2150, andevaluation module 2170 linked, such as by channel 2110. Policyassociation module 2130 can (optionally) include one or more ofactivation logic 2131, selection circuitry 2132, association logic 2133,code generation circuitry 2135, data integrity policies 2136, firstsecurity policy circuitry 2138, or second security policy circuitry2139. Resources 2150 can include one or more of user interface 2151,storage 2152, policies 2153, or deployment module 2160. Policies 2153can include one or more confidentiality policies 2154, transactionintegrity policies 2155, policy identifiers 2157, or policy definitionlogic 2158. Deployment module 2160 can include one or more of firstagent 2161, second agent 2162, mobile deployment logic 2163, antenna2165, router 2168, or one or more routes 2169. Evaluation module 2170can include one or more of signal evaluation circuitry 2171, triggeringcircuit 2178, authentication logic 2183, policy manger 2187, or messagehandler 2190. Signal evaluation circuitry 2171 can include one or moreof criteria 2172, positive response logic 2173, ranking 2174, orexplanation 2176. Triggering circuit 2178 can include enable logic 2179.Authentication logic 2183 can include data 2184. Policy manager 2187 caninclude one or more of policy update circuitry 2188 or policy list 2189.Message handler 2190 can include one or more of message parser 2191,network interface 2192, level indicators 2195, one or more inquiries2197 or signals 2198. Subsystem 2100 can be configured to perform flow900. This can occur, for example, in embodiments in which policyassociation module 2130 is configured to perform operation 960 and inwhich evaluation module 2170 is configured to perform operation 970.

Referring now to FIG. 22, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown subsystem2230 includes one or more of data manager module 2220, link managementmodule 2240, core 2252, or linkage module 2270 linked together, such asby channel 2210 as shown. Data manager module 2220 can (optionally)include one or more of data storage device 2221 (with data structure2222), memory device 2224 (with data structure 2225), caching logic2226, update logic 2227, clock circuit 2228, first network access portlinkage 2231, second network access port linkage 2232, estimates 2234,computations 2235, or tabular data grid 2236. Link management module2240 can (optionally) include destination update logic 2243, router2244, formula definition logic 2247, or formula update logic 2248.

Subsystem 2230 can (optionally) include tabular data appnet 2250including core 2252. Tabular data appnet 2250 can further include core2251 or core 2253 as shown. Core 2251 can (optionally) include SDO 2289for updating DDO 2287 of core 2252 via linkage 2288. Alternatively oradditionally, core 2251 can include DDO 2280 configured for receivingdata from SDO 2282 via linkage 2281. SDO 2282 of core 2252 can likewisereceive data via linkage 2283, such as by a formula. Core 2252 and core2253 can likewise contain LDO's 2284, 2286 each for receiving data fromthe other via linkage 2285. In some configurations destination updatelogic 2243 can be configured for maintaining one or more of linkages2281, 2283, 2285, 2288 as shown. Linkage module 2270 can include one ormore of association logic 2271, record update logic 2272, table entries2275 linking handles 2203 with physical addresses 2204, linkageindication module 2276, implementation logic 2278 or receiving logic2279. Table entries 2275 can be configured to link handles 2203 withphysical addresses 2204 in one-to-one, many-to-one or one-to-manyrelationships. Subsystem 2230 can be configured to perform flow 600.This can occur, for example, in embodiments in which linkage module 2270performs operation 610 and in which linkage management module 2240performs operation 620. Operation 620—deciding whether to update thetabular data object in response to the inter-core linkage obtained inassociation with the tabular data object—can be performed, for example,by linkage management module 2240 accessing data objects using handles2203 of linkages with physical addresses 2204. The linkages can includelinkage 2281, linkage 2285, or linkage 2288. See, e.g., FIGS. 45 & 46and their description below.

Referring now to FIG. 23, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown linkage 2311(of channel 2310, e.g.) links first network 2200 with second network2300. Second network 2300 includes SDO's 2390 (e.g. type 1 SDO 2391,type 2 SDO 2392, or type 3 SDO 2393) or DDO's 2395 (e.g. type 1 DDO2396, type 2 DDO 2397, or type 3 DDO 2398), optionally in one or moredata structures of one or more modules (not shown).

Subsystem 2340 of first network 2200 can (optionally) include one ormore of interface 2307, data manager module 2320, decision module 2350,or interface module 2360. Interface 2307 can include one or more offirst input device 2301, second input device 2302 or one or more outputdevices 2309. Data manger module 2320 can include data structure 2322containing SDO's 2385 (e.g. type 1 SDO 2386, type 2 SDO 2387, or type 3SDO 2388) or DDO's 2380 (e.g. type 1 DDO 2381, type 2 DDO 2382, or type3 DDO 2383). Decision module 2350 can include one or more of selectiveupdate logic 2351, protocol logic 2352, linkage request logic 2354,message parser 2355, first delegation logic 2357, second delegationlogic 2358 or implementation logic 2359. Interface module 2360 caninclude one or more of plotting logic 2362, view selection logic 2363(e.g. with alphanumeric values 2364), data format logic 2365, drawinglogic 2367, display control logic 2368, or cognitive symbols 2369.Subsystem 2340 can be configured to perform flow 500. This can occur,for example, in embodiments in which interface module 2360 performsoperation 580 and in which decision module 2350 performs operation 590.See, e.g., FIGS. 43 & 44 and their description below.

Referring now to FIG. 24, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown localsubsystem 2401 is operatively coupled with remote subsystem 2490 viachannel 2450 including linkage 2481. Linkage 2481 can be wireless or canincorporate active signal relay circuitry, for example. Remote subsystem2490 can include an appnet, multicore processor, local area network orother cluster of processors or other cores, such as “first” and “second”cores in some embodiments.

Local subsystem 2401 includes at least first signaling module 2410,second signaling module 2420 (of third core 2403, e.g.), and resources2470. Third core 2403 can further (optionally) include one or more offirst signaling module 2410 or resources 2470. First signaling module2410 can include one or more of code distribution logic 2411 or antenna2419. Resources 2470 can include input-responsive configuration logic2473 (with values 2474, e.g.), local configuration logic 2475, imagingdevice 2476, delegation logic 2477, or storage medium 2478. In someembodiments, storage medium 2478 can contain part or all of a computerprogram product as described herein, for example, such as modulesconfigured to perform one or more variants as described below inreference to FIGS. 29-49.

Second signaling module 2420 can include one or more of record receiver2421, content modifier 2422, deployment logic 2423, core configurationlogic 2425, or halt logic 2427. As shown, remote subsystem 2490 includesmodule 1758, (at least) processes 1794, resource 1796, or policies 1797.For example, remote subsystem 2490 can optionally implement subsystem1700 as shown in FIG. 17.

Referring now to FIG. 25, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown subsystem2500 includes ASR 2530, resources 2560, agent configuration module 2580,and agent deployment module 2590 operatively coupled, for example, bychannel 2510. ASR 2530 can (optionally) include transmitter 2531,multi-core configuration logic 2535, input-responsive configurationlogic 2536, service manager 2538, object identifier 2539, message input2541, message output 2542, script editor 2543, update processor 2545,interrupt handler 2547, core reset logic 2548, or reboot logic 2549.Transmitter 2531 can include service identifiers 2532 or service changespecifications 2533. Resources 2560 can (optionally) include evaluator2561, transmitter 2562, or receiver 2565. Transmitter 2562 can includesignal 2563 or port 2564. Receiver 2565 can include relayed data 2566,situational input 2567, policies 2568, or agent output 2569.

Agent configuration module 2580 can (optionally) include memory manager2576 (with memory 2575), receiver 2577, code generator 2578, linkingmodule 2579, location designation logic 2582, inquiry transmitter 2583,network interface 2585, deployment manager 2587, allocation manager2589, implementer 2570. Implementer 2570 can include one or more of riskdependency logic 2572, location dependency logic 2573, or capacitydependency logic 2574. Agent deployment module 2590 can includetransmitter 2591, location designation logic 2598, or networkconnectivity table 2599. Transmitter 2591 can (optionally) include oneor more of passive channel 2592, router 2593, antenna 2594, or networkinterface 2595.

FIG. 26 shows network 2600 including at least domain 2601 and interface2607. Interface 2607 includes one or more input devices 2608 (e.g.keyboards, pointing devices, touch-screen elements, voice recognitioncircuitry, or other user input devices, or network interface circuitry)or one or more output devices 2609 (e.g. transmitters, speakers,projectors, or the like). In some embodiments, interface 2607 cancomprise one or more of a hand-held device, a wireless device, abrowser, a content-aware agent, or the like. Alternatively oradditionally, subsystem 2802 likewise includes or couples with powersupply 2604 configured to provide power via one or more of linkages2803-2827.

Domain 2601 includes one or more of subsystem 2610 or cluster 2690.Subsystem 2610 can (optionally) include one or more of ASR 2620 or ASR2650 coupled via linkage 2627, with power supply 2604, or with one ormore processors 2605. ASR 2620 or ASR 2650 can be implemented within oracross one or more processing cores as software or firmware in someembodiments. Alternatively or additionally, instances of each can beimplemented partly or entirely in application-specific circuitry. Insome embodiments, part or all of domain 2601 can be implemented on asingle integrated circuit chip. Those skilled in the art willappreciate, however, that power supply 2604 or the like can beimplemented off-chip, for example, in a portable device, vehicle, orother stand-alone server.

Some implementations of ASR 2620 can include one or more of servicedirectory 2642, object directory 2643, data manager 2644, or appnetdepicter 2613. As shown, service directory 2642 or object directory 2643can each include one or more definitions 2602 each corresponding to oneor more identifiers 2603 (in a one-to-one, a many-to-one, or aone-to-many relationship, e.g.). In some implementations, for example,object directory 2643 can include routing information or the like,optionally built as a distributed index or widely replicated at severalremote locations. Each site can optionally be constructed with a localcache of logical names primarily useful with a regional or other clusterof cores of subsystem 2610, in some embodiments. Appnet depicter 2613can include one or more of group depicter 2614, abstracter 2615, optiondepicter 2617, or resource depicter 2618.

Some implementations of ASR 2650 can include one or more of appnetmanager 2653, control utility 2661, or implementer 2662. ASR 2650 canlikewise include one or more of adapter app 2666 (with integrationmodule 2676, e.g.), servicelet app 2667 (with function interface module2677, e.g.), routelet app 2668 (with message handling module 2678,e.g.), or policy app 2669 (with rule handler 2679, e.g.).

Subsystem 2610 can connect via one or more linkages 2628 with cluster2690, which includes one or more of cores 2691-2693 each including oneor more of processes 2694, controls 2695, or resources 2696. Application2697 as shown, for example, can include one of the processes 2694, oneof the controls 2695, and one of the resources 2696 that can each beaddressable or otherwise named entities. Alternatively or additionally,application 2697 can include processes 2694, controls 2695, andresources 2696 of core 2692. Optionally, cores 2691-2693 can likewiseinclude entities of each of these types (processes 2694, controls 2695,or resources 2696) in another application 2698. Domain 2601 can includeone or more of appnet 2687 (relating application 2697 to two or morecores 2691-2693) or appnet 2688 (relating application 2698 to two ormore cores 2691-2693).

Referring now to FIG. 27, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown subsystem2700 includes signaling module 2701, aggregation module 2702,transmission module 2703 and one or more resources 2704 operativelylinked, for example, by channel 2710. Signaling module 2701 can(optionally) include data manager 2744, dispatcher 2745, selectionmodule 2746, messaging module 2747, and integration module 2748.Resources 2704 can (optionally) include policy implementer 2770, datahandler 2790, or cluster definitions 2799. Policy implementer can(optionally) include inclusion criteria 2771, associations 2772, oridentifications 2773. Data handler 2790 can include one or more ofaggregation 2731, router 2737 or one or more types of data 2791.Aggregation 2731 can include register values 2732, app handles 2733,version identifiers 2735 or the like. Router 2737 can include coreselector 2738 or app selector 2739. Data 2791 can include connectivitystates 2792, error records 2793, timestamps 2794, addresses 2795, searchterms 2797, event indicators 2798 or the like.

Aggregation module 2702 can include receiver 2722 (with data 2723,e.g.), query agent 2727, app interface 2728, aggregator 2730, or policymanager 2760. Policy manager 2760 can (optionally) include updatecircuitry 2762, policy definitions 2763, or policy selector 2768. Policydefinitions 2763 can (optionally) include security policies 2764,filtering 2765, or compliance policy 2766. Transmission module 2703 can(optionally) include extractor 2774 or signal generator 2781. Extractor2774 can include distiller 2775, combiner 2776, sampler 2778, orresponder 2779. Signal generator 2781 can (optionally) include triggersignal 2782, policy invoker 2784, graphical output 2785, text output2787, or transmitter 2788.

Referring now to FIG. 28, there is shown an exemplary environment inwhich one or more technologies may be implemented. As shown network 2800includes subsystem 2802 optionally including one or more of appnet 1062of FIG. 10, processor 1130 of FIG. 11, directory manager 1520 of FIG.15, code generation circuitry 1830 of FIG. 18, or interface 2607 orcluster 2690 of FIG. 26. Alternatively or additionally, subsystem 2802can include one or more of app service router 2866, signaling circuitry2868, aggregation circuitry 2871, transmitter 2874, receiver 2875,resources 2876, first decision circuitry 2878, second decision circuitry2879, linkage circuitry 2881, linkage management circuitry 2882, agentconfiguration circuitry 2893, agent deployment circuitry 2894, policyassociation circuitry 2897, or evaluation circuitry 2898.

In some embodiments network 2800 can include linkage 2803 betweensubsystem 2802 and channel 303 of FIG. 3. Alternatively or additionally,network 2800 can include linkage 2812 between subsystem 2802 and signalbearing medium 1270 of FIG. 12. Alternatively or additionally, network2800 can include linkage 2813 between subsystem 2802 and channel 1391 ofFIG. 13. Subsystem 2802 can likewise couple with passive media 1712 ofFIG. 17. Alternatively or additionally, network 2800 can include linkage2816 between subsystem 2802 and channel 1610 of FIG. 16, linkage 2819between subsystem 2802 and channel 1910 of FIG. 19, linkage 2820 betweensubsystem 2802 and channel 2060 of FIG. 20, linkage 2822 betweensubsystem 2802 and channel 2210 of FIG. 22, linkage 2823 betweensubsystem 2802 and channel 2310 of FIG. 23, linkage 2824 betweensubsystem 2802 and channel 2450 of FIG. 24, linkage 2821 betweensubsystem 2802 and channel 2110 of FIG. 21, linkage 2825 betweensubsystem 2802 and channel 2510 of FIG. 25, or linkage 2827 betweensubsystem 2802 and channel 2710 of FIG. 27.

In some embodiments, subsystem 2802 can include app service router 2866comprising application-specific circuitry or software-configuredcircuitry for implementing one or more of the five items as shown withinsignaling module 2701 of FIG. 27, such as that described below. In someembodiments, “software-configured circuitry” operable for a definedfunction can be implemented by configuring general purpose circuitry orthe like via a transmission or storage medium bearing one or moreexecutable instructions operable for the defined instruction.

Alternatively or additionally, signaling circuitry 2868 can likewiseinclude application-specific circuitry or software-configured circuitryfor implementing one or more of the five items as shown within secondsignaling module 2420 of FIG. 24. Aggregation circuitry 2871 canlikewise include either or both (in combination) for implementing one ormore of the items shown within aggregation module 2702 of FIG. 27.Alternatively or additionally, transmitter 2874 can likewise implement atransceiver or transmission module 2703 with application-specificcircuitry or software-configured circuitry implementing one or more ofthe items shown therein.

In some embodiments, interface 2607 in FIG. 26 or FIG. 28 can likewisecomprise application-specific circuitry or software-configured circuitryfor implementing any of the several items as shown within interfacemodule 2360 of FIG. 23. Alternatively or additionally, first decisioncircuitry 2878 can likewise include either or both for implementing oneor more variants of decision module 2350 as described herein. Seconddecision circuitry 2879 can likewise include either or both forimplementing one or more variants of decision module 1650 as describedherein. Linkage circuitry 2881 can likewise (optionally) includeapplication-specific circuitry or software-configured circuitry forimplementing linkage module 2270 with one or more of the six itemstherein as shown in FIG. 22. In some embodiments, linkage managementcircuitry 2882 can comprise either or both for implementing one or moreitems within linkage management module 2240 as shown in FIG. 22.

In some embodiments, agent configuration circuitry 2893 can likewise(optionally) include application-specific circuitry orsoftware-configured circuitry for implementing any of the several itemsas shown within configuration module 2580 of FIG. 25. Agent deploymentcircuitry 2894 can likewise include either or both for implementing oneor more items as shown within agent deployment module 2590 of FIG. 25,or the like. In some variants, policy association circuitry 2897 canlikewise include application-specific circuitry or software-configuredcircuitry for implementing one or more items in policy associationmodule 2130 or the like. Likewise evaluation circuitry 2898 can likewiseinclude either or both, including one or more items as shown inevaluation module 2170 of FIG. 21.

Referring now to FIG. 29, there are shown several variants of the flow400 of FIG. 4. Operation 450—aggregating information in response to datareceived after signaling the first application relating with the firstcore and with the second core—may (optionally) include one or more ofthe following operations: 2951, 2954, 2956, or 2958. Operation460—transmitting at least a portion of the information aggregated inresponse to the data received after signaling the first applicationrelating with the first core and with the second core—may include one ormore of the following operations: 2961, 2962, or 2967.

Operation 2951 describes implementing at least one aggregation policyobtained from the received data (e.g. implementer 370 configuringaggregator 330 to capture registry data, process data, or similar“snapshot” data from cores 391, 392 hourly whenever app 397 remainsactive). This can occur, for example, in embodiments in which signalingmodule 311 is configured to perform operation 210, in which aggregationmodule 312 is configured to perform operation 450, and in whichtransmission module 313 is configured to perform operation 460.

Operation 2954 describes receiving an indication of activity in thefirst application as the data received after signaling the firstapplication relating with the first core and with the second core (e.g.app interface 2728 receiving a heartbeat or the like from app 397 aftercompleting a successful handshake with some portion of appnet 350). Theappnet portion can comprise one of the apps 397, 398 or cores 391, 392,for example, in some embodiments. This can occur, for example, inembodiments in which signaling module 2701 implements signaling module311 and in which aggregation module 2702 implements aggregations module312. Alternatively or additionally, the indication of activity caninclude an acknowledgement or other reply from some portion of appnet350 (or a network manager associated with the appnet, e.g.) responsiveto an inquiry or other transmission from signaling module 311.

Operation 2956 describes receiving a selection of the first applicationas the data received after signaling the first application relating withthe first core and with the second core (e.g. receiver 319 receiving anidentifier of app 397 after signaling module 311 signals at least app397 relating with core 391 and with core 392). The identifier can(optionally) include one or more of a filename, a process name, aproduct name, a username, a pathname or other address, an encodedidentifier, or the like. Alternatively or additionally, the applicationselection can (optionally) include a control identifier, a reference toa portion of the application, a menu option, a reference that logicallymaps to a selection of the application, or the like. Alternatively oradditionally, signaling module 311 can signal other apps (app 398, e.g.)relating with cores 391, 392 or other cores relating with app 397. SeeFIG. 19, e.g. Alternatively or additionally, in some embodiments,signaling module 321 or other portions of subsystem 302 can be includedand configured to perform operation 2956, receiving the selection frominterface 325 or the like.

Operation 2958 describes requesting information from the firstapplication (e.g. query agent 2727 requesting a progress indication,functional or other role-descriptive information, activity information,loading information, availability information, code segments, or thelike from app 398). The requested information can pertain to arequest-receiving application (to app 398, e.g.) or to anotherapplication residing in an overlapping set of one or more cores (to app397, e.g.). In a scenario in which the requested information issubsequently obtained, it can optionally be aggregated (by aggregator330, e.g.) or used for defining or updating one or more aggregationcriteria as taught herein.

Operation 2961 describes signaling an application cluster relating withthe first core and with the second core, the application clusterincluding at least the first application (e.g. signal generator 2781 andone or more cluster definitions 2799 indicating that cluster 2690contains at least application 2697 and more than one of cores 2691,2692, and 2693). This can occur, for example, in an embodiment in whichsubsystem 2610 implements subsystem 2700, in which aggregation module2702 and one or more resources 2704 jointly implement operation 450, andin which at least transmission module 2703 implements operation 460.Alternatively or additionally, signal generator 2781 can be configuredto receive a portion of aggregation 2731 via extractor 2774. In somevariants, signal generator 2781 can perform such functions responsive totrigger signal 2782, which can include one or more of a clock signal, adigital message from input devices 2608, a processor interface signal orthe like.

Those skilled in the art will recognize that operative recitations orother roles can be implemented by circuitry or other logic notspecifically described herein, in some variants, or by entitiesdescribed herein in relation to other operations. Operation 2961 can belikewise be performed by some implementations of integration module2748, for example, such as by linking each of a suite of networkingapplications with cores 2691, 2692, 2693. This can occur, for example,in embodiments in which subsystem 2610 includes an instance of subsystem2700 operatively coupled at least to power supply 2604 and cluster 2690,in which signaling module 2701 is configured to perform operation 210,in which aggregation module 2702 is configured to perform operation 450,and in which transmission module 2703 is configured to perform operation460. Some or all of resources 2704 can be implemented as resources 2696of cluster 2690 and, alternatively or additionally, some or all ofsubsystem 2700 can be implemented as a distributed application across aplurality of cores (e.g. across processors 2605).

Operation 2962 describes transmitting at least the portion of theaggregated information according to a dissemination policy relating withthe application cluster (e.g. extractor 2774 extracting one or moreevent indicators 2798 according to a security or other communicationpolicy implemented by policy invoker 2784). Such policies can includepublic key encryption, error correction, or other ordinaryauthentication policies, for example, many of which can be used by thoseskilled in the art in the present context, without undueexperimentation.

Operation 2967 describes transmitting the portion of the aggregatedinformation in response to a roughly contemporaneousselection-indicative signal (e.g. extractor 2774 sending a search resultwithin about a day of receiving a search term). This can occur, forexample, in embodiments in which data handler 2790 uses one or moresearch terms 2797 for extracting the portion(s) to transmit, in which aninstance of aggregation module 2702 can perform operation 450, and inwhich at least transmission module 2703 and one or more resources 2704jointly perform operation 460. Alternatively or additionally, a triggersignal 2782 (e.g. request messages) can provide protocol informationaffecting how and when the information portion is transmitted. In someembodiments, the selection-indicative signal identifies a result format,transmission type, block size, character sets, syntax, sequence ofresponse, or other protocol-related aspects of the information portionto be transmitted.

Referring now to FIG. 30, there are shown several variants of the flow400 of FIG. 4 or 29. Operation 210—signaling a first applicationrelating with a first core and with a second core—may include one ormore of the following operations: 3043, 3044, or 3046. Operation450—aggregating information in response to data received after signalingthe first application relating with the first core and with the secondcore—may include one or more of the following operations: 3051, 3053,3054, 3055, or 3058.

Operation 3043 describes sending a message to the first applicationrelating with the first core and with the second core (e.g. messagingmodule 2747 signaling an application-wide policy change to a modelingapplication having active components in more than one core of cluster2690). The modeling application may be implemented as application 2697,for example, including one or more processes 2694, one or more controls2695, or one or more resources 2696 in each of cores 2691, 2692. In someembodiments, messages can be configured for direct or indirecttransmission to one or more of these components, for example, such as bycontent distribution systems known by those skilled in the art.

Operation 3044 describes identifying a portion of the first applicationat the first core (e.g. data manager 2744 indicating one or moreresources 2696 comprising data within or otherwise accessible toapplication 2697). This can occur, for example, in embodiments in whichresources 2696 include network access port linkages, conventional datastructures, or the like. Alternatively or additionally, the applicationportions at the “first” core (core 2692, e.g.) can include processes2694, controls 2695, output signals, or the like. In some embodiments,“identifying” includes providing or determining an origin, groupaffiliation, handle, nature, or definitive characteristics of theapplication portion.

Operation 3046 describes signaling via a control an option to includethe first application (e.g. selection module 2746 or option depicter2617 causing a selection mechanism to appear at an interface enablingoptions for an entity to address the application or not). In someembodiments, for example, output device 2609 (implemented at adminstation 115, e.g.) can present several options of which a firstidentifies appnet 150 and a second identifies appnet 160. Input device2608 can likewise be configured to enable a selection of one or more ofthese options.

Operation 3051 describes adding one or more policy selections to a dataaggregation (e.g. policy selector 2768 selecting one or more of securitypolicies 2764, filtering 2765, or compliance policy 2766 for use withaggregator 2730). Alternatively or additionally, receiver 2722 can beconfigured to perform operation 3051 by logging or otherwise gatheringindications of the selections into aggregation 2731 or the like. In someembodiments, the selections can be indicated or supplemented by contentsuch as weblogs, podcasts, websites, or the like.

Operation 3053 describes adding one or more error records to a dataaggregation (e.g. aggregator 2730 adding one or more error records 2793to data 2791). In some embodiments, aggregator 2730 uses compliancepolicy 2766 or filtering 2765 in determining what constitutes an errorneeding documentation in error record 2793. Those skilled in the artwill recognize a variety of contexts from which such determinations canreadily be adapted, applied for aggregation, and used for characterizinganomalous behavior in a system, for example.

Operation 3054 describes adding one or more connectivity indicators to adata aggregation (e.g. aggregator 2730 adding one or more connectivitytesting outcomes or other connectivity states 2792 to data 2791). Insome embodiments, connectivity states 2792 can include a measurement, afailure indication, a diagnostic report, or the like. “Adding” canoptionally include appending, arithmetically or logically combining,initializing, conditionally superseding, or otherwise injecting new datainto the aggregation.

Operation 3055 describes adding to a data aggregation at least a portionof the data received after signaling the first application relating withthe first core and with the second core (e.g. aggregator 2730 andfiltering 2765 jointly injecting part of data 2723 into aggregation 2731or the like after messaging module signals application 2698 relatingwith cores 2691, 2692). The data added can include version identifiers2735, for example, even while omitting received software or other datato which the version identifiers 2735 pertain. Alternatively oradditionally, the data to be added can (optionally) include one or moreof register values 2732, app handles 2733, connectivity states 2792,error records 2793, timestamps 2794, addresses 2795, search terms 2797,event indicators 2798, or the like.

Operation 3058 describes updating a policy for aggregating theinformation (e.g. update circuitry 2762 modifying one or more policydefinitions 2763 affecting an operational mode by which aggregator 2730operates). In some embodiments, the updated policy may include aquality-of-service policy, a security policy, a virtual private networkpolicy, a verbosity policy, or the like.

Referring now to FIG. 31, there are shown several variants of the flow400 of FIG. 4, 29, or 30. Operation 450—aggregating information inresponse to data received after signaling the first application relatingwith the first core and with the second core—may include one or more ofthe following operations: 3152, 3153, or 3156. Operation460—transmitting at least a portion of the information aggregated inresponse to the data received after signaling the first applicationrelating with the first core and with the second core—may include one ormore of the following operations: 3164, 3166, 3167, or 3169.

Operation 3152 describes including at least in a data aggregation aservice configuration change indicator and at least one of an errorrecord, a timestamp, or a network address (e.g. policy manager 2760applying filtering 2765 to record timing or other aspects of serviceconfiguration changes signaled in operation 220 or its variants, astaught herein). In some embodiments, for example, aggregator 2730 caninclude one or more error records 2793, one or more timestamps 2794, orone or more network addresses 2795 in aggregation 2731. For example,this can occur in embodiments in which subsystem 2610 includes one ormore instances of subsystem 2700 operatively coupled to power supply2604 or to one or more processors 2605, in which aggregation module 2702is configured to perform operation 450, and in which ASR 2650 isconfigured to perform operation 220.

More generally, embodiments of flow 400 can generally incorporateinstances of flow 200 or its variants as taught herein in FIGS. 38-42.Aggregator 2730 can log the partial service configuration changesignaled at operation 220 or its variants, for example. Alternatively oradditionally, those skilled in the art will recognize that operations450 and 460 or their variants can be performed before, during, or inalternation with operation 220 in some embodiments.

Operation 3153 describes including at least one or more object handlesin a data aggregation (e.g. aggregator 2730 including domain names, IPaddresses, or other addresses 2795 in aggregation 2731). Aggregation2731 can contain one or more resource records, for example, associatingthe network address with some addressable object.

Operation 3156 describes adding one or more search terms to a dataaggregation (e.g. aggregator 330 appending a message indicating a searchterm to data 331). The message can include a username or account or atimestamp with a search result, for example. In some implementations,for example, the search result can indicate which of apps 397, 398 isconfigured to use a printer, storage module, or other device identifiedby the search term.

Operation 3164 describes associating a dissemination policy at leastwith the first application and with a recipient identifier (e.g.combiner 2776 associating a highly secure protocol to a tradingapplication providing information to a specific investor or class ofinvestors). For an anonymous “guest” user requesting appnet informationrelating to local support services, conversely, combiner 2776 maydefault to an association with a much more liberal security or otherdissemination policy. Alternatively or additionally, the disseminationpolicy may include a lower level of detail or system control for theanonymous user.

Operation 3166 describes associating a dissemination policy with atleast the first application (e.g. policy invoker 2784 assigning amultiple-tier dissemination policy for an array of users as indicated incolumns 1461, 1471, and 1481 of FIG. 14). This can occur, for example,in embodiments in which aggregation module 2702 can perform operation450, in which transmission module 2703 can perform operation 460, and inwhich one or more commands 1409 in each cell of column 1461 or of row1401 contain extraction commands executable by extractor 2774 (forreducing or presenting data as text output 2787 or graphical output 2785from signal generator 2781, e.g.).

Operation 3167 describes transmitting at least the portion of theaggregated information according to the dissemination policy (e.g.distributing a weekly or other occasional extraction from aggregation2731 to addresses 2795, consistent with addresses 2795 having beendefined or filtered by policy invoker 2784). In some embodiments, theextraction can result from signal generator 2781 receiving a triggersignal 2782 indicating an event such as an apparent security breach, anoverflow condition, or similar error signal recognizable by conventionalcomparisons or the like. Alternatively or additionally, the extractioncan include part or all of the above-referenced multiple-tierdissemination policy, such as for giving each of several users auser-specific weekly report.

In some variants, some or all components of aggregations module 2702(policy definitions 2763, e.g.) can reside among resources 2704, forexample, accessible by signaling module 2701 or transmission module2703. Policy definitions 2763 may include a data retention policy or thelike, for example, causing portions of aggregation 2731 or data 2791 tobe discarded after a period of time, a period of non-use, an extractionevent, or the like. Trigger signal 2782 can thus cause an extractionoperation that includes data removal, in some embodiments.

Operation 3169 describes transmitting the portion of the aggregatedinformation in response to an authority-indicative request message (e.g.responder 2779 and transmitter 2788 jointly transmitting anaccounting-appnet-specific extraction after responder 2779 validates apassword or biometric data to authenticate a request for the report fromone or more users of the “Accounting” domain). The user(s) can includeintegrator 1407 for example, in some embodiments. Alternatively oradditionally, transmitter 2788 can transmit the information portiondirectly or indirectly responsive to such a request message.

Referring now to FIG. 32, there are shown several variants of the flow400 of FIG. 4, 29, 30, or 31. Operation 450—aggregating information inresponse to data received after signaling the first application relatingwith the first core and with the second core—may include one or more ofthe following operations: 3252, 3253, 3255, 3256, or 3258. Operation460—transmitting at least a portion of the information aggregated inresponse to the data received after signaling the first applicationrelating with the first core and with the second core—may include one ormore of the following operations: 3264, 3265, 3266, or 3269.

Operation 3252 describes signaling an application cluster relating withthe first core and with the second core, the application clusterincluding at least the first application (e.g. app interface 2728addressing modules 1024-1026 of FIG. 10 as a single entity characterizedor otherwise listed in cluster definitions 2799). This can occur, forexample, in any of the embodiments described in which aggregation module2702 can perform operation 450 and in which channel 2710 is directly orindirectly coupled with appnet 1062.

Alternatively or additionally, app interface 2728 can provide one ormore aspects of how the cluster relates with the cores, such as in adomain (domain 1000, e.g.) to be used frequently for accessing two ormore applications as a cluster. In some implementations of appnet 1062,for example, tier 1002 can include three functionally relatedapplications (module 1024, 1025, 1026, e.g.) addressable as a cluster topermit a joint operation by or upon all three with a minimal servicedisruption.

Operation 3253 describes applying a common data aggregation policy tothe application cluster (e.g. aggregator 2730 causing the applicationcluster to pause and report a status or progress regularly oroccasionally). The status or progress can relate to one or moreprocesses, cores, or resources in an appnet of the cluster, for example.In some embodiments, the aggregation policy includes one or morespecifications of which phenomena are to be measured, which measurementsare to be combined, which combinations are to be transmitted, whichtransmissions are to be aggregated, or which aggregations are to beretained. Those skilled in the art can incorporate existing policies ofany of these types, or others, into the present context without undueexperimentation.

Operation 3255 describes establishing an aggregation agent at a thirdcore (e.g. dispatcher 2745 sending a mobile agent or the like asaggregator 2730 to core 2693 for gathering data sent by other cores2691, 2692 in cluster 2690). Alternatively or additionally, dispatcher2745 or the aggregation agent can occasionally generate data requests orother triggers causing one or more of cores 2691, 2692 to send data asdescribed herein to the “third” core.

Operation 3256 describes establishing a linkage between the aggregationagent and at least one of the first core or the second core (e.g. router2737 adding core 2693 to cluster 2690 in the above example). This canoccur, for example, by router 2737 allocating channel 2710 or linkage2628, at least temporarily linking core 2693 (at which aggregator 2730has been established, e.g.) with core 2691. (Those skilled in the artwill recognize the foregoing as one of many examples of flows hereinthat can be performed in a different sequence than that shown. Of coursea linkage between cores 2691 and 2693 can be established before orduring operation 3255, for example, so that establishing the agentestablishes the linkage.)

Operation 3258 describes recording one or more system registry values(e.g. aggregator 2730 recording one or more register values 2732 inresponse to an interrupt or the like in the data received aftersignaling the application relating with the first core and with thesecond core). In some instances, for example, an entire system registrycan be pushed onto a stack in response to a system error that aborts aprocess.

Operation 3264 describes including at least a link-layer protocolindicator within the portion of the aggregated information (e.g. sampler2778 capturing an indication of whether incoming packets came viaEthernet, Wi-Fi, Token Ring, PPP, ATM, Frame Relay, SMDS, or the like).In some embodiments, of course, the information portion need not includepackets, or the link layer may signify a protocol outside the internetprotocol suite.

Operation 3265 describes including at least a time-indicative eventindicator within the portion of the aggregated information (e.g.responder 2779 responding to input with a plot of one or more parametersversus time as graphical output 2785). Operation 3265 can occur, forexample, in embodiments in which signaling module 2701 performsoperation 210, in which aggregation module 2702 performs operation 450(individually or jointly with resources 2704), and in which transmissionmodule 2703 performs operation 460. The parameter(s) can include one ormore of an error count, a port usage or resource level, apattern-matching event symptomatic of a worm or other malicious agent,or the like.

Operation 3266 describes selecting the portion of the aggregatedinformation in response to receiving a selection policy (e.g. distiller2775 selecting a representative portion of the information aggregated inresponse to receiving one or more new executable instructions or otherselection parameters). The representative portion can include everytenth record, for example, in an embodiment in which other records arediscarded. Alternatively or additionally, in some embodiments distiller2775 can be adjusted so that a diagnostically probative portion of theaggregated information is selected.

Operation 3269 describes broadcasting at least the portion of theaggregated information (e.g. transmitter 2788 transmitting at leastevent indicators 2798 as text output 2787 to several destinations ataddresses 2795). Alternatively or additionally, the information portioncan be sent to some or all cores within a tier, appnet or domain, insome embodiments. This can occur, for example, in embodiments in whichtransmission module 2703 can perform operation 460 by broadcasting asecurity or priority protocol change to all modules 1024, 1025, 1026 incluster 1095.

Referring now to FIG. 33, there are shown several variants of the flow900 of FIG. 9. Operation 960—associating a first mobile agent with afirst security policy and a second mobile agent with a second securitypolicy—may include one or more of the following operations: 3364, 3367,3368, or 3369. Operation 970—evaluating a received message at least inresponse to an indication of the first security policy and to anindication of the second security policy—may include one or more of thefollowing operations: 3371, 3373, or 3375.

Operation 3364 describes causing the first security policy to includeone or more confidentiality policies (e.g. first security policycircuitry 2138 including one or more confidentiality policies 2154). Insome embodiments, a confidentiality policy can ensure that a first levelof information cannot be accessed by a subject at any lower level ofauthorization. Alternatively or additionally, the access can bemodulated so that the level of a required authorization depends uponwhether the mode of accessing the information is to include reading,writing, modifying, executing or the like. This can occur, for example,at least in embodiments in which module 1751 implements the “first”mobile agent, in which policy association module 2130 is configured toperform operation 960, in which evaluation module 2170 is configured toperform operation 970, and in which first security policy circuitry 2138is implemented as one or more of software, firmware, hardware, or mediabearing signals. Alternatively or additionally, first security policycircuitry 2138 can include one or more of message encryption, userauthentication, shrink-wrap licensing or other digital rights managementtechnologies available to those skilled in the art.

Operation 3367 describes activating the first security policy at leastin the first mobile agent (e.g. first security policy circuitry 2138 andactivation logic 2131 jointly implementing a heartbeat, a provenanceindication or the like in a spawning agent or the like). This can occur,for example, in embodiments in which the mobile agent includes a brokeragent, a content delivery agent, a synthesizing agent, a research agentor the like. Likewise the first security policy can include securitypolicies referenced herein or combinations of them, as will beunderstood by those skilled in the art. In some variants, the “first”security policy can include data integrity policies such as a “no writeup, no read down” policy. Alternatively or additionally, such policiescan include transaction integrity policies 2155 such as recording atleast an authorization identifier and timestamp in association with eachqualifying transaction. Those skilled in the art can implement manyother existing data or transaction integrity policies selectively foruse as the first security policy without undue experimentation.(Alternatively or additionally, of course they can likewise includeimplementations of flow 700 or flow 800 as taught herein for embodimentsin which one or more of the mobile agents are remote.)

Operation 3368 describes causing the second security policy to includeone or more integrity policies (e.g. second security policy circuitry2139 including data integrity policies 2136 or transaction integritypolicies 2155). Alternatively or additionally, this variant can includeone or more of operation 3364, operation 3367, or other operationsaffecting or effectuating other security policies. This can occur, forexample, in embodiments in which policy association module 2130 canperform operation 960, in which message evaluation module 2170 canperform operation 970, and in which module 1753 implements the “first”mobile agent.

Operation 3369 describes associating the first security policy at leastwith the first mobile agent and with the second mobile agent (e.g.association logic 2133 including a record or function that maps at leastan identifier of the policy with the two or more mobile agents).Alternatively or additionally, the association may include activating orotherwise implementing the first security policy in the first or secondmobile agents. In some variants, second security policy circuitry 2139and association logic 2133 can jointly perform operation 3369 byproviding specific security instructions to all addressable mobileagents in subsystem 1700. The security instructions may include aperiodic or occasional intrusion detection procedure, an incoming datafilter implementation, a conditional security deactivation instruction,a handshaking protocol or the like as known by those skilled in the art.Alternatively or additionally, one or more agent selection criteria maybe applied for deciding which software agents receive the specificsecurity instructions.

Operation 3371 describes evaluating the received message at least partlyas a roughly contemporaneous response to receiving the indication of thefirst security policy (e.g. triggering circuitry 2178 causing one ormore other portions of evaluation module 2170 to begin processing thereceived message within about a day of receiving the indication). Thiscan occur, for example, in embodiments in which the evaluation of arecent message (e.g. that the first mobile agent “needs a firewall”) ischanged (e.g. to “needs a transaction security protocol”) in response tothe indication (e.g. that the first mobile agent “has Firewall X”). Insome embodiments, the message evaluation can yield an error message, anevent record, a process initiation, a reconfiguration, a levelindication or the like. Alternatively or additionally the evaluation canbe performed with user interaction, such as by indicating the firstsecurity policy and receiving the evaluation at user interface 2151responsive to a suitably authorized user logging on a few weeks afternetwork interface 2192 receives a message.

Operation 3373 describes receiving a level indicator as the indicationof the first security policy or the indication of the second securitypolicy (e.g. network interface 2192 receiving “high,” 61%, or 5th as oneor more level indicators 2195 signifying a capacity, an activity level,a ranking, or the like). Alternatively or additionally, the levelindicator may relate meaningfully with some other quality-indicativemeasure such as recency, value, safety, performance, or the like.

Operation 3375 describes requesting the indication of the first securitypolicy (e.g. policy update circuitry 2188 requesting message handler2190 to broadcast one or more inquiries 2197 relating to securitypolicies in use in nearby cores). In some embodiments, for example,module 1752 may transmit inquiries 2197 to this effect to each of cores1782 through 1787, requesting a direct response to core 1781.

Referring now to FIG. 34, there are shown several variants of the flow900 of FIG. 9 or 33. Operation 960—associating a first mobile agent witha first security policy and a second mobile agent with a second securitypolicy—may include one or more of the following operations: 3465 or3466. Operation 970—evaluating a received message at least in responseto an indication of the first security policy and to an indication ofthe second security policy—may include one or more of the followingoperations: 3471, 3472, 3475, or 3477.

Operation 3465 describes configuring the first mobile agent with one ormore instructions able to cause the first mobile agent to transmit anindicator of the first security policy (e.g. code generation circuitry2135 creating module 1758 able to transmit policy identifiers 2157indicating one or more policies 1797). This can occur, for example, inembodiments in which module 1758 implements the “first” mobile agent, inwhich core 1785 comprises subsystem 2100, in which at least part ofevaluation module 2170 can perform operation 970, and in which channel2110 can be coupled to transmit one or more of module 1758 or a messageidentifying the “first” security policy. Alternatively or additionally,the message can include a timestamp, a status, an event log, informationabout one or more processes 1794 or resources 2150 available at core1785, or the like.

Operation 3466 describes configuring the second mobile agent with one ormore instructions able to cause the second mobile agent to transmit atleast a portion of the second security policy (e.g. code generationcircuitry 2135 configuring the “second” mobile agent with one or moredata integrity policies 2136 comprising policy definition logic 2158such as executable virus scanners and other malware detection code).Alternatively or additionally, code generation circuitry 2135 can beconfigured to manipulate first mobile agent such as by performingoperation 3465. In some embodiments, multiple instances of operation3465 or 3466 can be performed in creating or dispatching a population ofmobile agents so that more than one agent has information about otheragents' security policies in a specific domain.

Operation 3471 describes obtaining an identifier of the second mobileagent (e.g. authentication logic 2183 interpreting data 2184 to identifythe second mobile agent as a string of “Field_(—)22” within data 2184).Data 2184 may indicate Field_(—)22 as a sender or subject of data 2184,for example, in a scenario in which that agent was expected to remainanonymous. Alternatively or additionally, authentication logic 2183 canbe configured to identify the second mobile agent implicitly by findinga sign of that agent in data 2184 (e.g. by intercepting a spywaremessage or the like identifying “Field_(—)22” as locally resident).

Operation 3472 describes determining the indication of the secondsecurity policy responsive to the identifier of the second mobile agent(e.g. policy manager 2187 determining a “breached” status responsive tothe above-described events.) Alternatively or additionally, the secondsecurity policy can include an alarm signal (e.g. transmitted to thesecond mobile agent via antenna 2165), an upgrade, or other securitymodification as the indication of the second security policy.

In other instances policy manager 2187 may receive an informationrequest such as a function call asking for information about module 1759(e.g. identifying the second mobile agent in an argument). Policymanager 2187 may be configured to respond by looking up the secondsecurity policy (e.g. as a table look-up function using policy list2189), for example, and optionally by providing information about thesecond security policy to the requesting entity.

Operation 3475 describes receiving an indication of a third securitypolicy as the indication of the first security policy and as theindication of the second security policy (policy manager 2187 receivingpolicy list 2189 containing several policies as the third securitypolicy). In some embodiments, policy list 2189 may likewise beconfigured to include associations between the first and second securitypolicies and one or more mobile agents or other modules. Theassociations may identify one or more of (a) a module that currentlysubscribes, (b) a module that is able to subscribe, (c) a module thathas previously subscribed, to the first or second security policy.Alternatively or additionally, policy list 2189 may include supplementalinformation such as one or more pointers to confidentiality policies2154, transaction integrity policies 2155, or other policy definitionlogic 2158 of resources 2150.

Operation 3477 describes distilling from the received message at leastan affirmative indication as one or more of the indication of the firstsecurity policy or the indication of the second security policy (e.g.message parser 2191 gleaning from signals 2198 that type 1 policy 1798is in effect in module 1753 and that type 2 policy 1799 is in effect inmodule 1751). This can occur, for example, in embodiments in which themessage reports or instructs that type 1 policy 1798 and type 2 policy1799 each provide some security. The message may include text such as“Policy_M2=1” or “ON,” executable code or register bit values similarlysignifying security activation, or similar representations of severaltypes recognized by those skilled in the art. Alternatively oradditionally, of course, the message can optionally signify one or morenegative indications such as security policy deactivations.

Referring now to FIG. 35, there are shown several variants of the flow900 of FIGS. 9, 33, and 34. Operation 970—evaluating a received messageat least in response to an indication of the first security policy andto an indication of the second security policy—may include one or moreof the following operations: 3572, 3574, or 3576. Operation3550—performing one or more additional operations—may include one ormore of the following operations: 3551, 3553, 3554, or 3559.

Operation 3572 describes deciding whether to enable a triggering circuitin response to the indication of the second security policy (e.g. enablelogic 2179 enabling some other portion of evaluation module 2170 inresponse to one or more indicators of type 2 policy 1799). This canoccur, for example, in embodiments in which policy association module2130 can perform operation 960, in which evaluation module 2170 canperform operation 970, in which enable logic 2179 is configured toenable triggering circuit 2178 in response to at least one potentialvalue of the second security policy indication. In one such embodiment,type 2 policy 1799 defines a network interface enable bit having a “set”value (e.g. 1) to which enable logic 2179 responds by enabling networkinterface 2192. In some variants, type 2 policy 1799 can likewise defineone or more other enable bits each respectively controlling access toone or more of resources 2150, signal evaluation circuitry 2171,authentication logic 2183, policy manager 2187, message handler 2190, orthe like.

Operation 3574 describes transmitting a yes-or-no decision (e.g.positive response logic 2173 producing no output or otherwise signalinga negative decision). This can occur, for example, in response to anindication that first security policy circuitry 2138 requires messagesto have a checksum of 3, that second security policy circuitry 2139requires messages to have at most ten bytes, and that the receivedmessage is a 94-byte message having a checksum of 2. The negativedecision in this example thus indicates the message apparently did notcome from any agent with the first or second security policy.Alternatively or additionally, a yes-or-no decision can indicate whetheran error has occurred, whether a policy has been employed, whether atask shall proceed, or whether some other hypothesis is supported byobservations. Alternatively or additionally, the evaluation(s) caninclude a level or other non-Boolean outcome.

This can likewise occur in a variant in which the first and secondsecurity policies do not call the mobile agents to generate heartbeatsignals, and in which the received message includes a heartbeat signal.The decision can thus indicate that the received message apparently didnot come from the first or second mobile agent, for example. In someembodiments, such decisions can trigger a deployment (of a patch ordiagnostic agent, e.g.) or be used as a basis for deciding whether toignore a message. Alternatively or additionally, the message canindicate that one or more of the policies are to be ignored, forexample, by virtue of module having disabled a policy. The message canlikewise contain a policy dictating that other information is to beignored such as trust indications, expected message protocols or thelike.

Operation 3576 describes evaluating a signal containing the receivedmessage (e.g. message handler 2190 and signal evaluation circuitry 2171jointly producing ranking 2174 or explanation 2176 responsive toreceiving signals 2198). This can occur, for example, in embodiments inwhich packets, tasks, or other messages in the signal includepriority-indicative data that can be used to rank them. The sampleportion can include a digital signal decoded by a Viterbi detector orthe like, for example. Alternatively or additionally, the responsivevalue can correlate with an error rate estimate, a confidence estimaterelating to the received message, or other quality indicator(s). In someembodiments, some samples or portions of the signal can be disallowed sothat the received message excludes them. Alternatively or additionally,such responsive values can be used as the evaluation(s) or furtherprocessed such as by one or more lookup tables to generate the scalarscore, decision, or other evaluation.

Operation 3551 describes deploying at least the first mobile agent andthe second mobile agent (e.g. deployment module 2160 deploying firstagent 2161 and second agent 2162). This can occur, for example, inembodiments in which these agents are mobile. In some embodiments, theymay be deployed into respective cores (e.g. 1781-1783) in direct mutualcommunication (respectively as modules 1755, 1754, e.g.). Alternativelyor additionally, one or more of the modules may be deployed locally todeployment module 2160.

Operation 3553 describes deploying at least the first mobile agent viathe second mobile agent (e.g. mobile deployment logic 2163 deployingfirst agent 2161 from second agent 2162). This can occur, for example,in embodiments in which the “first” agent is first deployed (e.g. asmodule 1753 into core 1782), which later in turn deploys the “second”agent (e.g. as module 1751 into core 1782). In some embodiments anoriginating agent includes evaluation module 2170, for example,including triggering circuitry 2178 for signaling when module 1751should be deployed.

Operation 3554 describes deploying the first mobile agent remotely (e.g.deployment module 2160 and router 2168 jointly deploying first agent2161 via one or more routes 2169). In an embodiment in which core 1785includes subsystem 2100 configured to deploy first agent 2161 to core1782, for example, routes 2169 can include numerous options even in theenvironment of subsystem 1700 (e.g. via core 1781; via cores 1786, 1787;via cores 1786, 1781, 1787; via cores 1786, 1781; via cores 1781, 1787;via cores 1784, 1781; via cores 1786, 1781, 1784, 1783; or via cores1784, 1783). In some embodiments router 2168 implements one or morepolicies 1797 for controlling routes selected for deploying one or moreportions of the first mobile agent. In one scenario, for example, thefirst mobile agent includes module 1757 in transit between core 1785 andcore 1781 as a step toward deployment module 2160 performing operation3554.

Operation 3559 describes deploying at least the second security policyto the first mobile agent (e.g. message handler 2190 deploying at leastone of policies 2153 to first agent 2161, before or after deploymentmodule 2160 deploys first agent). In various embodiments, the secondsecurity policy can include, activate, modify, transmit, perform orotherwise implement one or more logical blocks of the first mobileagent, for example.

Referring now to FIG. 36, there are shown several variants of the flow800 of FIG. 8. Operation 880—providing a first agent with code forresponding to situational information about the first agent and about asecond agent—may include one or more of the following operations: 3682,3683, 3685, 3686, 3687, or 3689. Operation 3690—performing one or moreother operations—may include one or more of the following operations:3691, 3693, 3695, 3697, or 3699.

Operation 3682 describes implementing a situation-dependent logic tablein the first agent (e g linking module 2579 providing digital logic thatgenerates one or more bits responsive to inputs that indicate a statusof at least the first and second agent). This can occur, for example, inembodiments in which operation 880 is performed by agent configurationmodule 2580, in which operation 890 is performed by agent deploymentmodule 2590, in which module 1751 implements the first agent, in whichresources 1796 of module 1751 include the digital logic, and in whichone or more portions of ASR 2530 or resources 2560 are configured tointeract with module 1751. Each input can, in some embodiments, relateto only one of the agents of subsystem 1700. In other embodiments one ormore of the inputs can jointly describe some aspect of more than one ofthe agents (e.g. a fault bit set when any agent signals a fault tolinking, and otherwise generally not set). Alternatively oradditionally, the situation-dependent logic table implementation canencode and depend upon situational aspects such as location, connectiontypes and other aspects of resources, trust indications and otheraspects of policies, resource and policy availability, active processesor controls, timestamps, version indicators, or the like.

Operation 3683 describes associating the second agent with a remotelocation (e.g. location designation logic 2582 locally identifying aremote core at which the second agent is or was situated). In someembodiments the second agent can include a mobile agent associatedsuccessively with a series of past or current remote locations such asmay be specified by IP addresses. Alternatively or additionally, someremote locations associated with the second agent may include planned orpotential locations within a directory structure. The first agent canoptionally be configured to perform operation 3683, such as in anembodiment in which module 1751 implements the first agent, in whichmodule 1752 implements the second agent, and in which one or moreresources 1796 of module 1751 can perform the associating. This canenable a module in a more-trusted location to monitor a module inunknown location, in some situation, such as when core 1782 is moretrusted than core 1781. Even without such trust information, though,positioning agents for monitoring other agents remotely can enhanceoperational safety.

Operation 3685 describes sending an inquiry to a network location (e.g.inquiry transmitter 2583 and network interface 2585 jointly pollingnearby network locations to determine whether any have a specificresource). The specific resource can include one or more of a processingpower surplus, an upgrade, electrical power, internet service,geographic information, surplus storage or the like, optionally withinor otherwise controlled by a software module (e.g. resources 1796controlled by module 1752). In some embodiments, the inquiry isbroadcast to any available nodes of an ad hoc network. It will beunderstood, however, that many variants of flow 800 described herein canbe implemented even in the absence of a network.

Operation 3686 describes receiving data from the network location (e.g.network interface 2585 and receiver 2565 receiving packet data from anetwork that includes subsystem 1700 via channel 2510). This can occur,for example, in embodiments in which agent configuration module 2580 andresources 2560 jointly perform operation 880, in which at least ASR 2530is configured to perform operation 890, and in which in which the datacan be treated as a response to the inquiry or otherwise asresource-indicative data.

Operation 3687 describes deploying a mobile software agent as the secondagent (e.g. allocation manager 2589 moving an executable portion ofmodule 1752 into memory and triggering one or more processes 1794leading to a departure of module 1752 from core 1781). The one or moreprocesses 1794 can serve other roles as exemplified herein, for example,in module 1752 or other modules of subsystem 1700 as shown.Alternatively or additionally, operation 3687 may comprise deploying themobile software agent at a remote core or other location outside thecore at which allocation manager 2589 operates (e.g. outside core 1781).

Operation 3689 describes transmitting the second agent to a processingcore (e.g. deployment manager 2587 sending module 1757 to a core able toperform one or more data-transformative operations.) Thedata-transformative operations can include one or more of encrypting,compiling, compressing, or multiplexing, for example. This can occur,for example, in embodiments in which subsystem 2500 resides locally atthe processing core (e.g. core 1785). Alternatively or additionally,router 2593 can be used to transmit the second agent through one or moredata relay cores or the like in an ad hoc network, which need not beconfigured to perform any processing of the second agent.

Operation 3691 describes generating the situational information at leastpartly based on an agent output (e.g. evaluator 2561 determining that anagent's environment is normal responsive to an absence of alerts or toan expected output from the agent). The expected output can include anoutcome from a negotiation or other task, timestamps, visited locationsor other provenance data, a heartbeat, gathered data or the like, forexample. The evaluator can incorporate expectation logic (not shown)defining criteria by which the agent output is to be judged, suitableexamples of which are readily available to those skilled in the art.

Operation 3693 describes sending a signal to the first agent (e.g.transmitter 2562 sending signal 2563 via port 2564 as one or moreresources 1796 to module 1754). Signal 2563 can include an executablemodule that resides alongside the first agent in a common core, forexample (e.g. by using module 1755 for updating module 1752 in core1781). Alternatively or additionally, signal 2563 can include virusvectors, resource definition data, price negotiation data or othercomparative information for use by the first agent for performing aprimary function (e.g. price negotiation or related research) orsecondary function (e.g. a mobile agent firewall or network topologydiscovery). In some embodiments, signal 2563 includes a heartbeat, alocation identifier, a password or other mechanism for communicatingwith another agent, or other resources. In some embodiments, the signalis likewise sent to the second or other agents (e.g. in a broadcastoperation by transmitter 2562).

Operation 3695 describes receiving a security policy update (e.g.receiver 2565 receiving agent output 2569 indicating a revision of asecurity mechanism of subsystem 2500 or an agent residing there). Insome embodiments, the update can simply be a change to a version numberin a record describing the agent or the core in which it operates.Alternatively or additionally, the update can include a moduleimplementing the security policy update, such as a replacement for anexecutable decryption module or the like.

Operation 3697 describes receiving situational data about the secondagent via the first agent (e.g. receiver 2565 receiving relayed data2566 about module 1758 via module 1759). This can occur, for example, inembodiments in which module 1759 implements the “first” agent, in whichmodule 1758 implements the “second” agent, and in which the first agentmonitors, receives, or otherwise gleans situational data about the firstagent. In some embodiments, the second agent resides within or near thefirst agent (i.e. at core 1785) and distills a concise inference aboutthe situation of the first agent. The inference can include anindication of trust or risk, for example, responsive to a reaction time,ownership, task attribute, connection type, resource status, or otheraspect of core 1785.

Operation 3699 describes receiving situational data from the secondagent (e.g. receiver 2565 receiving situational input 2567 describingcomputing environment attributes relating to a domain including thesecond agent). Alternatively or additionally, the first agent can relayor otherwise receive the data from the second agent (e.g. ASR 2530receiving the situational data from the second agent as message input2541, optionally discarding some of the data and relaying other parts asmessage output 2542).

Referring now to FIG. 37, there are shown several variants of the flow800 of FIG. 8 or 36. Operation 880—providing a first agent with code forresponding to situational information about the first agent and about asecond agent—may include one or more of the following operations: 3781,3782, 3784, 3785, 3786, or 3789. Operation 890—deploying the firstagent—may include one or more of the following operations: 3792, 3794,3796, or 3798.

Operation 3781 describes obtaining one or more risk indicators in thesituational information about the first agent and about the second agent(e.g. implementer 2570 with risk dependency logic 2572 receiving rawvulnerability data such as an indication of a successful remote access).In some embodiments, risk indicators can be summarized or presented inconjunction with a responsive action such as an executable securityprotocol update module that can directly modify one or more of theagents. Alternatively or additionally, the obtained risk indicators canbe distilled into more concise risk indicators (e.g. “medium” risk or“R=2” to a denial-of-service-type attack) for aggregation ortransmission to a remote network management site. Those skilled in theart can readily implement such functions in light of teachings hereinand of the general methodologies used, for example, in commonvulnerability evaluation software such as Nessus (see NESSUS.COM), GFILANguard (see GFI.COM), ISS Internet Scanner (see ISS.NET) or the like.

Operation 3782 describes including at least code for receiving acapacity indicator of the situational information (e.g. implementer 2570with capacity dependency logic 2574 indicating a quantity ofcomputational, storage, carrying or other capacity currently orpotentially available). The capacity indicator can (optionally) includea count, percentage, or vector-valued entity. Alternatively oradditionally, the included value can indicate a capacity indirectly,such as by giving a cores' response time in milliseconds as an indicatorof its available capacity.

Operation 3784 describes including at least code for obtaining a handleof a network location of the situational information (e.g. implementer2570 with location dependency logic 2573 remotely or locally invoking autility that generates one or more addresses). The utility can functionlike TCPView or Netstat, for example, generating one or more addressesfor each of several connections or processes or the like.

Operation 3785 describes receiving a mobile software agent as the firstagent (e.g. memory manager 2576 receiving at least a portion of module1755 into memory 2575 responsive to receiver 2577 receiving at least theportion from outside subsystem 2500). The can occur, for example, inembodiments, in which core 1781 implements subsystem 2500, in whichagent configuration module 2580 is configured to perform operation 880by receiving part or all of the mobile software agent into module 1755piecemeal, and in which ASR 2530 is configured to perform operation 890.

Operation 3786 describes obtaining the code for responding to thesituational information about the first agent and about the second agentbefore obtaining the first agent (e.g. memory manager 2576 and receiver2577 jointly receiving receiver 2565 for inclusion in the “first”agent). In some implementations, operation 3786 can later be completedby code generator 2578 and memory manager 2576 jointly generating thefirst agent by assembling components in memory 2575 with receivedreceiver 2565.

Operation 3789 describes configuring the first agent with policy updatecode (e.g. receiver 2577 and code generator 2578 implementingmalware-indicative or other anomaly signature data in one or morecontrols 1795 operable to update a policy in module 1757). Controls 1795for updating policies 1797 can be implemented as one or more codeblocks, one or more executable instructions for modifying controls 1795that configure a policy, one or more assignments or replacement values,or the like such as are known by those skilled in the art. In someimplementations policies 1797 employed by processes 1794 are pervasivelycontrolled by software switches, for example, for reducing the necessityof replacing executable code.

Operation 3792 describes deploying the first agent to a first coreoperable to transmit a signal to a location of the second agentsubstantially directly via a passive medium (e.g. transmitter 2591depositing module 1754 in core 1783 directly coupled to core 1782 viaone or more passive media 1712). In the configuration as shown, the“second” agent can comprise module 1751 or module 1753. In someembodiments the substantially direct couplings can include one or moreof an antenna, an optical fiber, a wire, a free space medium or thelike, without active interstitial elements such as network nodes.

Operation 3794 describes deploying the first agent to a first core ableto communicate with the second agent (e.g. at least router 2593 andnetwork connectivity table 2599 jointly deploying module 1755 into core1781). This can occur, for example, in embodiments in which the “second”agent includes module 1751, module 1752, or some other module thatnetwork connectivity table 2599 indicates as having a suitable linkageto module 1755.

Operation 3796 describes deploying the first agent locally (e.g. atleast location designation logic 2598 deploying module 1751 locally intocore 1782). This can occur, for example, in an embodiment in which atleast some of subsystem 2500 resides in core 1782. Module 1753 canoptionally be configured to contain subsystem 2500 in some embodiments,for example. Such a “local” deployment can likewise include sendingmodule 1751 locally to another core implemented on a common integratedcircuit with at least a portion of agent deployment module 2590.

Operation 3798 describes deploying the first agent to a first locationin response to an association between a second location and the secondagent (e.g. deployment module 2160 sending first agent 2161 to core 1781rather than to core 2691 responsive to an indication that second agent2162 has been routed to core 1782). This can occur, for example, inembodiments in which a current location of the second agent is unknownor in which the domain of each core is known. In some embodiments thefirst location is selected to be remote from the second location, suchas those in which deployment module 2160 implements a dispersion ofrelated agents that favors a first deployment into each listed domainover other deployments. Alternatively or additionally, in someembodiments, a decision to place the first agent into a domain (e.g.subsystem 1700) can depend at least partly on an indication of whetherone or more functionally related agents exist within the domain. SeeU.S. patent application Ser. No. 11/396,396 (“Code InstallationDecisions for Improving Aggregate Functionality”) filed 31 Mar. 2006 byCohen et al., commonly assigned herewith, and incorporated herein byreference to the extent not inconsistent with this document.

Referring now to FIG. 38, there are shown several variants of the flow200 of FIG. 2. As shown, operation 210 describes signaling anapplication relating with a first core and with a second core. Operation220—signaling via a third core a partial service configuration change atleast in the first core in response to data received after signaling thefirst application relating with the first core and with the secondcore—may include one or more of the following operations: 3821, 3822,3825, or 3827. Operation 3830—performing one or more otheroperations—may include one or more of the following operations: 3831,3832, 3835, 3836, or 3838.

Operation 3821 describes signaling a reboot at the first core responsiveto input received after displaying an indication of the first core (e.g.control utility 2661 sending an acknowledgment to one or more outputdevices 2609 responsive to a reboot instruction from one or more inputdevices 2608). This can occur, for example, after control utility 2661sends an instruction causing group depicter 2614 to show a graphicaldisplay depicting at least core 2691, and after control utility 2661receives an indication of a user instruction to reboot core 2691. Insome scenarios, the instruction to reboot the first core can be receivedas a menu selection or an acceptance of a suggestion to reboot the firstcore presented at one or more output devices 2609, such as by optiondepicter 2617. Alternatively or additionally, the first core reboot canbe effectuated by core reset logic 2548 transmitting a reset signal tothe first core (core 2691, e.g.). This can occur, for example, inembodiments in which channel 2510 is operably coupled with power supply2604

Operation 3822 describes updating a portion of a service configuration(e.g. servicelet app 2667 upgrading a library or other resources 2696 ofapplication 2697). In some embodiments, servicelet app 2667 can performsuch an upgrade as a portion of an appnet-wide or tier-wide upgrade (ofappnet 1062 or tier 1002, e.g., in an embodiment in which the modules1011-1059 of domain 1000 of FIG. 10 comprise cores 2691-2693 of cluster2690 of FIG. 19).

Alternatively or additionally, in some embodiments, adapter app 2666contemporaneously provides one or more instances of integration module2676 as resources 2696 that enable interaction with a remaining portionof the service configuration of the first core (core 2691, e.g.). Suchresources 2696 can include message transformation modules such as areknown by those skilled in the art, commercially available from providerssuch as RosettaNet, ebXML, or SAP. Alternatively or additionally,resources 2696 can include HTTP, HTTPS, SOAP, SMTP, or other transportprotocols such as are known by those skilled in the art.

Operation 3825 describes signaling an initialization in a portion of thefirst core and in a portion of the second core (e.g. function interfacemodule 2677 initiating at least two processes 2694 of application 2698as shown). This can occur, for example, in an embodiment in which appnetdepicter 2613 can perform operation 210 and in which servicelet app 2667can perform operation 220 (alone or in combination with core 2693,e.g.).

Operation 3827 describes suspending a service at the first core (e.g.halt logic 2427 setting one or more controls 2695 of remote subsystem2490 to cause one of the processes 1794 to pause, such as in response toan instruction to pause a print job). In some configurations this canlikewise be performed by implementer 2662 altering one of controls 2695of core 2692 to disable another of controls 2695 or to deny access to aspecific requester or the like. Alternatively or additionally, in someembodiments, operation 3827 can be performed effectively by removing ordenying access to resources (e.g. policy app 2669 signaling core 2693with instructions to take one or more resources 2696 controllable bycore 2693 offline).

Operation 3831 describes indicating at least one of the firstapplication, the first core, and the second core to an interface (e.g.message handling module 2678 indicating a relationship betweenapplication 2698, core 2691, and core 2692 by showing names or symbolsof each at interface 2607). This can occur, for example, in embodimentsin which control utility 2661 can perform operation 210, in which appnetmanager 2653 can perform operation 220, and in which at least routeletapp 2668 can perform operation 3830. Alternatively or additionally,message handling module 2678 can display a graphical relationship likethat of FIG. 1, optionally including additional features to indicateprocess activity, resource availability, or one or more controls 2695available to a user at interface 2607.

Operation 3832 describes receiving input from the interface (e.g.function interface module 2677 receiving a menu selection or buttonactivation from interface 2607). Alternatively, in an embodiment of FIG.11, Network Interface Card 1168 can receive addressing and payloadsrelating the application to the RTE's 1186, 1187, 1188 viasignal-bearing medium 1270 of FIG. 12). The addressing can includelayered logical or physical addresses in some embodiments. Inembodiments like that of FIG. 12, payloads (app payload 1258, e.g.) canlikewise include application data or program code (e.g. rules). This canoccur in variants of FIG. 11, for example, in which dispatcher 1110routes such relation-indicative information to queue 1105 for storage orto queue 1108 for processing.

Alternatively or additionally, in some scenarios, RCP 1180 receives thecontent of one or more messages 1161 via queue 1108. This can occur, forexample, by dispatcher 1110 and RCP 1180 jointly applying one or morepriority criteria 1182 for a next-available one of the RTE's 1186, 1187,1188 so that RCP 1180 generates a highest priority task of queue 1108based on the content of message 1161. RCP 1180 can then assign eachnext-available runtime engine (RTE 1187, e.g.) to become an instance ofprocessor 1130 assigned to process the content (by writing data torouting table 1183, e.g.).

Operation 3835 describes relating a second application to at least thefirst core in response to the data received after signaling the firstapplication relating with the first core and with the second core (e.g.engine dispatcher 1185 of FIG. 11 adding RTE 1188 to portal appnet 1324of FIG. 13). This can occur, for example, in embodiments in which the“other” application is the portal application, in which RTE 1188implements database server 1342, in which Network Interface Card 1168can perform operation 210, in which RCP 1180 can perform operation 220,and in which application processor 1189 can perform operation 3830. Sucha relation may be advantageous, for example, in embodiments in whichengine dispatcher 1185 determines that database server 1342 has surplusprocessing, memory, or storage capacity needed by the “other”application.

Operation 3836 describes signaling one or more core-specificconfiguration changes in response to the data received after signalingthe first application relating with the first core and with the secondcore (e.g. policy app 2669 configuring rule handler 2679 to implement arestart of one or more processes 2694 within core 2692 responsive to anerror message). This can occur, for example, in an embodiment in whichcore 2692 is the first or second core of flow 200, in which the datareceived indicates a code or configuration update, in which appnetmanager 2653 can perform operation 210, and in which control utility2661 can perform operation 220.

Operation 3838 describes recording an indication of the signaled firstapplication (e.g. dispatcher 1110 queuing an application-indicativerecord in queue 1105 for writing into storage 1154). This can occur, forexample, in embodiments in which dispatcher 1110 responds to one or moremessages 1161 indicating that application processor 1189 is acting onthe application or its appnet. Alternatively, variants of domain 2601 asdescribed herein can include data manager 2644 configured to record oneor more instances of applications signaled, such as for networkmonitoring to facilitate analysis of faults within network 2600.

Referring now to FIG. 39, there are shown several variants of the flow200 of FIG. 2 or 38. Operation 220—signaling via a third core a partialservice configuration change at least in the first core in response todata received after signaling the first application relating with thefirst core and with the second core—may include one or more of thefollowing operations: 3922, 3924, 3926, or 3927. Operation3930—performing one or more additional operations—may include one ormore of the following operations: 3932, 3933, 3934, or 3938.

Operation 3922 describes evaluating the data received after signalingthe first application relating with the first core and with the secondcore (e.g. input devices 2608 of FIG. 26 confirming that receivedkeystrokes constitute a valid password or other authorization for thepartial service configuration change earlier presented by appnet manager2653 via output devices 2609). This can occur, for example, inembodiments in which interface 2607 is secure, and in which interface2607 and control utility 2661 jointly perform operation 220.Alternatively or additionally, ASR 2650 can perform operation 3922 suchas by control utility 2661 evaluating biometric data or other raw datafrom input devices 2608 (e.g. from sensing devices such as a camera ormicrophone) or by appnet manager 2653 receiving user input triggeringappnet configuration changes.

Operation 3924 describes displaying an indication of the firstapplication relating with the first core and with the second coresignaled (e.g. resource depicter 2618 sending a display screen aschematic mapping between a distributed “Network Manager” applicationand cores 2691, 2692 on which it runs). This can occur, for example, inembodiments in which output devices 2609 comprise the display screen, inwhich the third core implements subsystem 2610, in which appnet depicter2613 and the display screen jointly perform operation 220, and in whichthe schematic mapping includes names of one or more processes 2694 ofthe “Network Manager” application. In some embodiments, such a schematicmapping can be implemented in a layout form (like that of FIG. 1, e.g.),in a table form (like that of object directory 2643, e.g.), in a tieredform (like that of FIG. 13, e.g.) or the like.

Operation 3926 describes signaling the partial service configurationchange at the second core (e.g. application processor 1189 signaling RTE1187 that protocol handler 1131 has been assigned to IntermediateProcessing Center 1138 as the partial service configuration change inthe “first” core). This can occur, for example, in embodiments in whichRTE 1187 is the “second” core, in which application processor 1189obtains the assignment information from facts dictionary 1181, and inwhich RCP 1180 can perform operation 220.

Operation 3927 describes signaling the partial service configurationchange remotely from the first core (e.g. application processor 1189indicating the partial service configuration change at least 100 metersfrom the remainder of system 1100). This can occur, for example, inembodiments in which the “first” core is processor 1130 and in which RCP1180 accesses processor 1130 and RTE's 1186, 1187, 1188 only through anetwork (not shown) by writing a suitable set of values to routing table1183. Those skilled in the art will appreciate that many existingprotocols and methodologies for network routing can be used in thiscontext in light of teachings herein.

Operation 3932 describes signaling the partial service configurationchange to an entity (e.g. option depicter 2617 providing a menu optionlike “authorize partial service transfer” to a user or otherauthorization agent at interface 2607). For example, the partial servicetransfer may signify transferring one of the processes 2694 of core 2692to core 2693 at least partially. Alternatively or additionally, platform1300 of FIG. 13 can be configured so that development group 1334 canrequest app server 1346 for a managerial confirmation authorizing apriority increase for servicing requests from database server 1342 onbehalf of trusts domain 1314. In some embodiments, acceptance of such aselective refinement may be a sufficiently localized disruption towarrant consideration even in contexts in which a whole-server,whole-domain service configuration change would not.

Operation 3933 describes awaiting a response from the entity aftersignaling the partial service configuration change (e.g. control utility2661 postponing an effectuation of a response to the above-mentionedmenu option until a timeout occurs or until an explicit affirmation orrejection of the option is received). In some embodiments, a timeoutoccurs after a period of time (a minute or an hour, e.g.) and triggers adefault action. Default action(s) may include changing a configurationof output devices 2609, recording the occurrence of the timeout, ortreating the timeout as a default affirmation or rejection, for example.

Operation 3934 describes performing the signaled partial serviceconfiguration change in response to input received after signaling thepartial service configuration change (e.g. input-responsiveconfiguration logic 2473 repartitioning storage medium 2478 in responseto one or more user-entered values 2474 after imaging device 2476displays a menu option, a command prompt, a query, a form page or thelike for accepting the user entries). In some embodiments, implementer2662 can likewise be configured to perform operation 3934 by initiatinga process migration responsive to a confirmation of a user-selected orother proposed action. Alternatively or additionally, the input caninclude routing information, reservation or other resource information,timing information or a default value, or other parameters triggering orfacilitating the signaled partial service configuration change. This canoccur, for example, in embodiments in which group depicter 2614 isconfigured to perform operation 210 and in which option depicter 2617 isconfigured to perform operation 220.

Operation 3938 describes performing the signaled partial serviceconfiguration change at least in the first core and in the second core(e.g. local configuration logic 2475 changing a priority or resourceallocation for processes 1794 in remote subsystem 2490 and in core1785). This can occur, for example, in embodiments in which firstsignaling module 2410 performs operation 210, in which second signalingmodule 2420 performs operation 220, and in which subsystem 1700 iswithin local subsystem 2401.

Optionally, the configurations changed in this way can all pertaindirectly to a common application (application 2698, e.g.). This canoccur, for example, in embodiments in which group depicter 2614 canperform operation 210 and in which option depicter 2617 can performoperation 220. Those skilled in the art will recognize that the flowsdescribed herein can readily support a variety of sequential variationsso that, for example, operation 3938 can be performed before, between orduring various portions of operation 220.

Referring now to FIG. 40, there are shown several variants of the flow200 of FIG. 2, 38 or 39. Operation 210—signaling a first applicationrelating with a first core and with a second core—may include one ormore of the following operations: 4011, 4014, or 4015. Operation220—signaling via a third core a partial service configuration change atleast in the first core in response to data received after signaling thefirst application relating with the first core and with the secondcore—may include one or more of the following operations: 4022, 4024,4025, 4026, 4027, or 4029.

Operation 4011 describes indicating a first feature of the firstapplication at the first core and a second feature of the firstapplication at the second core (e.g. service directory 2642 indicatingidentifiers 2603 and definitions 2602 of one or more processes 2694 incore 2691 and one or more processes in core 2692). This can occur, forexample, in embodiments in which at least group depicter 2614 orresource depicter 2618 perform operation 210 and in which at least datamanager 2644 can perform operation 220. In some embodiments,feature-indicative data from service directory 2642 are retrieved andarranged by message handling module 2678, for example, and sent to oneor more output devices 2609. Alternatively or additionally, the featurescan likewise include controls 2695 or resources 2696.

Operation 4014 describes transmitting a message associating the firstapplication with the first core (e.g. ASR 2620 sending a record fromservice directory 2642 associating a “Trade Clearing” application with a“Web Server” core). This can occur, for example, in embodimentsimplementing FIG. 13 and FIG. 19 in combination, in which core 2691implements web server 1341, in which core 2692 implements databaseserver 1342, in which subsystem 2610 is configured to perform operation210, and in which subsystem 2610 or interface 2607 is configured toperform operation 220.

Operation 4015 describes transmitting an image depicting at least thefirst core and the second core (e.g. one or more output devices 2609transmitting a core-indicative image in a layout form, a table form, atiered form, or the like). The core-indicative image can showpredictive, historical, hypothetical, or other hardware or softwaremodules such as modules 1011-1059 of FIG. 10 or clusters such as that ofFIG. 13, for example. In some embodiments, portions of the imagedepicting at least some cores each substantially overlaps or otherwiseidentifies a selectable display screen control relating to that core (anicon, e.g.).

Operation 4022 describes receiving a record indicating a serviceconfiguration of the first core (e.g. record receiver 2421 receivingfrom module 1758 information about one or more policies 1797 orprocesses 1794 resident in one or more cores of remote subsystem 2490).This can occur, for example, in embodiments in which first signalingmodule 2410 performs operation 210 and in which second signaling module2420 performs operation 220.

In the variant of FIG. 26, message handling module 2678 can likewiseperform operation 4022 by receiving from cluster 2690, directly orindirectly, definitions of some or all of the processes 2694, controls2695, and resources 2696 of core 2692. In some embodiments, such recordsarrive periodically or occasionally from remote cores to ASR 2620, whichcan store them in service directory 2642 routinely or in response to oneor more criteria of rule handler 2679. This can be facilitated, forexample, by launching one or more mobile apps or other processes 2694into a remote core of cluster 2690 (core 2692, e.g.) configured toaggregate and transmit cluster status and configuration information.

Operation 4024 describes changing at least a portion of the receivedrecord (e.g. control utility 2661 editing or reassigning one or more ofthe above-referenced definitions in a local copy of a received recordsuch as app payload 1258). The change may define a change to some or allof the processes 2694, controls 2695, and resources 2696 of core 2692without implementing them, for example.

Operation 4025 describes providing the changed portion of the receivedrecord as an input to the first core (e.g. implementer 2662 transmittingthe above-referenced received and changed record to core 2692).Alternatively or additionally, implementer 2662 can implement the changeby sending the change to some other core (such as core 2693, e.g., insome embodiments) that controls the operation of the first core. In someembodiments, one or more of operations 4022 through 4025 can thuseffectuate one or more of a process change (to a security protocol,e.g.) or a resource change (to a processor or memory allocation, e.g.)to core 2692 or its operation.

Operation 4026 describes signaling the partial service configurationchange on a single integrated circuit containing the first core, thesecond core, and the third core (e.g. engine dispatcher 1185 allocatingRTE's 1186, 1187, 1188 in an embodiment in which a single processor chipincludes a complete instance of system 1100). In some embodiments, aprogrammable general-purpose chip implements a variant of system 1100 astaught herein, such as by implementing RCP 1180 and the like insoftware.

Operation 4027 describes causing the partial service configurationchange in at least the first core and the second core (e.g. delegationlogic 2477 triggering module 1758 to install a firewall upgrade to eachof several cores of remote subsystem 2490). This can occur, for example,in embodiments in which first signaling module 2410 and resources 2470jointly perform operation 210, in which second signaling module 2420performs operation 220, and in which remote subsystem 2490 is configuredwith several cores.

In the variant of FIG. 26, message handling module 2678 can likewiseperform operation 4027 by deploying mobile agents or other code blocksthat implement a security configuration change to processes 2694 orotherwise to one or more cores 2691-2693. Alternatively or additionally,message handling module 2678 can cause such a change by sending one ormore messages like that of FIG. 12 to software agents resident incluster 2690.

Operation 4029 describes performing the partial service configurationchange in at least the first core (e.g. core configuration logic 2425performing the change upon the at least one core in remote subsystem2490 via linkage 2481). This can occur, for example, in embodiments inwhich at least first signaling module 2410 performs operation 210, inwhich at least second signaling module 2420 performs operation 220, andin which remote subsystem 2490 is at least configured with the “firstcore.”

In the variant of FIG. 26, implementer 2662 can likewise performoperation 4029 (e.g. by causing processes 2694 of application 2697 toinstall an encryption or decryption utility as one or more resources2696 of application 2698 in core 2691). Alternatively or additionally,such resources may be made available to other entities such asapplication 2697.

Referring now to FIG. 41, there are shown several variants of the flow200 of FIG. 2, 38, 39, or 40. Operation 210—signaling a firstapplication relating with a first core and with a second core—mayinclude one or more of the following operations: 4112, 4114, or 4118.Operation 4130—performing one or more other operations—may include oneor more of the following operations: 4133, 4134, or 4136.

Operation 4112 describes transmitting one or more service-specificparameters and a portion of the first application to the first core andto the second core (e.g. code distribution logic 2411 distributing type1 policy 1798 with implementing parameters and instructions at least tomodule 1753 and module 1754, as shown in FIG. 17). This can occur, forexample, in embodiments in which at least first signaling module 2410performs operation 210, in which at least second signaling module 2420performs operation 220, in which local subsystem 2401 includes subsystem1700, and in which channel 2450 couples directly or indirectly topassive media 1712.

In the variant of FIG. 26, message handling module 2678 can likewiseperform operation 4112 (e.g. by sending controls 2695 and communicationmodules to cores 2691-2693 in creating appnet 2688). For example, thecontrols 2695 can include passwords, selections, security levels, userpreferences, path names, switch values, or the like. The communicationmodules can comprise resources 2696, mobile agents, or the like. Each ofthe cores can also receive other information about application 2698 whenassembling application 2698, such as indications of where messagehandling module 2678 resides or of which cores comprise appnet 2688.Alternatively or additionally, authorized user lists and other sensitiveinformation relating to application 2698 can generally remain withinsubsystem 2610 as a single access control point in domain 2601 forhigher-level commands 1409 (such as those in row 1403, e.g.).

Operation 4114 describes transmitting information about how the firstapplication relates at least to the first core after receiving a handleof the first application (e.g. software agent 1589 sending topologicalinformation about appnet 1581 specifying one or more core groups 1564,after receiving an application handle from directory manager 1520). Arequest for such information can include “Enterprise” or a pathname asan application handle, for example, or a handle of a resource or othercomponent of the application or appnet, for searching directory 1586.This can occur, for example, in embodiments in which domain 1585implements domain 2601 of FIG. 19, in which software agent 1589implements Application Service Router 2620 for performing operation 210,in which appnet depicter 2613 is configured to perform operation 4114,in which directory 1586 implements object directory 2643, in whichappnet 1581 implements cluster 2690 (including core 2691), and in whichASR 2650 is configured to perform operation 220.

In one scenario, app 1571 provides a handle of part or all of appnet1581 (“Enterprise,” e.g.) in seeking to register with directory manager1520. (This can occur, for example, after app 1571 attempts to completea transaction directly with core 2691 of appnet 1581 via linkage 1523without success.) In some instances “Enterprise” may not be foundlocally within directory manager 1520, in which case directory managermay broadcast or otherwise send an inquiry about “Enterprise” acrosslinkage 1522 and others (not shown), triggering the above-describedresponse.

In another scenario, directory manager 1520 comprises an instance ofsubsystem 2610 that can mediate between app 1571 and appnet 1581 byobtaining a channel to appnet 1581 via software agent 1589. In manycases like these, the existence of several high-level appnet constructsdefined within company 1580 enables software agent 1589 to be configuredcentrally to serve as a convenient regional or global network accesspoint for company 1580. This provides better visibility oforganizational responsibility and usage of various infrastructure andapplication components within appnets 1581-1583. It also enablesdevelopers and users to better implement and enforce application- andsystem-level resource access control. These configurations and scenariosthus illustrate how appnets can be used for increasing divisional ororganizational agility, especially when using shared hardware (e.g.cores 1565) or common software interfaces.

Operation 4118 describes signaling, at least to the first core, thefirst application relating with the first core and with the second core(e.g. routelet app 2668 transmitting a digital signal to core 2691indicating that an aggregator application is running jointly on at leastcore 2691 and core 2692). In some variants, the digital signal caninclude a name of the application, for example, a name of one or moreprocesses 2694 of the application on the second core or on other cores,a timestamp, a list of cores or core groups (see FIG. 15, e.g.),information about other applications or overlapping appnets, or thelike.

Operation 4133 describes booting at least the second core in response tothe data received after signaling the first application relating withthe first core and with the second core (e.g. implementer 2662 rebootingcore 2691 in response to receiving an instruction or timeout signalafter appnet depicter 2613 signals application 2698 at cores 2691-2693).This can occur, for example, in embodiments in which core 2691 is thesecond core, in which data manager 2644 is configured to performoperation 220, and in which ASR 2650 is configured to perform operation4130. In another such scenario, appnet manager 2653 can begin a sequencefor initializing application 2698 by publishing an intention to boot oneor more cores 2691-2693 of cluster 2690 in lieu of detecting anycountervailing conditions (defined in and monitored by rule handler2679, e.g.) within a period of time. The countervailing conditions mayinclude input from interface 2607, activity in application 2697, or thelike. The data received may include clock transitions or otherindications of elapsed time, indications of activity in one or more ofthe cores 2691-2693, an indication of the partial service configurationchange relating, a linkage between such a change and application 2697,or the like. The booting may include any sequence of hardwaretransitions or other triggers known by those skilled in the art, and mayinclude implementer 2662 causing a reboot event as an indirect effect(of power cycling cluster 2690 or generating a fault condition, forexample).

Operation 4134 describes superseding a service configuration at least inthe second core in response to the data received after signaling thefirst application relating with the first core and with the second core(e.g. appnet manager migrating module 1033 responsive to super-user 1406or policy app 2669 indicating a removal of module 1033 from appnet1062). This can occur, for example, in embodiments in which module 1034is the first core, for example, or otherwise in which module 1033 is orresides in the second core. In some variants interface 2607 isconfigured to interact with super-user 1406, with rule handler 2679defining which commands 1409 are available to super-user 1406 wheninteracting with appnet 1062 (e.g. those included in one of columns1461-1465).

Operation 4136 describes evaluating the signaled partial serviceconfiguration change (e.g. abstracter 2615 predicting a success rate of92% in relation to a cache hits performance statistic, for example, or adifference between 92% and a current success rate). This can occur, forexample, in embodiments in which abstracter 2615 receives auser-proposed partial service configuration change and one or moreuser-designated statistics of interest in operation 210. In someembodiments, abstracter 2615 estimates one or more effects jointly (withinput from adapter app 2666, servicelet app 2667, one or more resources2696, or the like) in performing operation 4136

Alternatively or additionally, operation 4136 can yield an evaluation ofa past change as “harmless” or a proposed change as “risky,” can anefficiency or other performance model relating to past changes,indications of various aspects of the change (relating to anavailability of resources 2696, e.g.), or the like.

Referring now to FIG. 42, there are shown several variants of the flow200 of FIG. 2, 38, 39, 40, or 41. Operation 210—signaling a firstapplication relating with a first core and with a second core—mayinclude one or more of the following operations: 4211 or 4218. Operation220—signaling via a third core a partial service configuration change atleast in the first core in response to data received after signaling thefirst application relating with the first core and with the secondcore—may include one or more of the following operations: 4222, 4224,4227, 4228, or 4229.

Operation 4211 describes depicting an option including at least arepresentation of the first application relating with the first core andwith the second core (e.g. option depicter 2617 graphically showingappnet 150 including cores 151, 152). One or more additional appnets maylikewise be depicted, such as in network 100 as shown in FIG. 1.Alternatively or additionally, one or more of the options or otherfeatures may be shown in menu form. Alternatively, an appnet can bedepicted without related options per se, such as for context or othermerely informational purposes.

Operation 4218 describes accessing a record relating the firstapplication to the second core (e.g. DMA 1163 accessing a current orrecent list of processes from memory 1166). A process list from thesecond core can be received within app payload 1258 of message 1210, forexample. This can occur periodically or in response to a request, suchas can be generated when a user requests a view of an appnet for theapplication.

Operation 4222 describes signaling the partial service configurationchange via a channel traversing the third core (e.g. implementer 2662using channel 1391, traversing database server 1342, for signaling anactivation of “Node1” module 1351 from web server 1341 at “Pricedb”module 1352). This can occur, for example, in an embodiment in whichcore 2691 implements web server 1341, in which core 2692 implementsdatabase server 1342, in which appnet 2687 implements trade clearingappnet 1321, and in which ASR 2650 can perform operation 220. (Thechannel may likewise comprise one or more physical signal paths such aslinkage 2628.)

Operation 4224 describes upgrading a portion of the first application atleast at the first core (e.g. servicelet app 2667 suspending one or moreprocesses 2694 of application 2697 at core 2691 and replacing one ormore resources 2696 of the suspended process such as a subroutine codemodule of application 2697). In such embodiments appnets can be used forfacilitating an incremental software upgrade using existing subsystems.Incremental upgrades can be useful, for example, in determining whichportion of an upgrade might have introduced malicious agents or otheranomalies into a network.

Operation 4227 describes indicating a portion of a first core serviceupgrade at the third core (e.g. query agent 2727 requesting specificauthorizations to upgrade some controls 395 or resources 396 of core 391via interface 325). This can occur, for example, in embodiments in whichsignaling module 321 is configured to perform operation 210, in whichaggregation module 322 implements aggregation module 2702 for performingat least operation 220, in which interface 325 can be used for selectingsome of controls 395 or resources 396. If receiver 2722 receives anindication of code module X (not shown) of resources 396 in core 391being selected for upgrade, for example, in some embodiments updatecircuitry 2762 can respond by updating only code module X as the partialservice configuration change. This illustrates that an appnet canfacilitate selective upgrades effectively in some embodiments. This alsoillustrates how appnets can be used for facilitating the reuse of codemodules, for example, during selective additions or replacements ofnetwork hardware components.

Operation 4228 describes causing the partial service configurationchange by an activity at the third core (e.g. transmitter 2531 sendingservice identifiers 2532 or service change specifications 2533corresponding with a service level change). This can occur, for example,in embodiments in which the “first” and “second” cores are remote (fromtransmitter 2531, e.g.), in which subsystem 2802 of FIG. 28 implements alocal “third” core, in which ASR 2866 is configured to perform operation210, in which signaling circuitry 2868 is configured to performoperation 220, and in which signaling circuitry 2868 is configured toimplement one or more of the listed components of ASR 2530, including atleast transmitter 2531.

Operation 4229 describes migrating at least a portion of a resource ofthe first core (e.g. servicelet app 2667 causing one or more resources2696 to be allocated at core 2691 in lieu of some or all of likeresources at core 2692). Resources to be migrated in this fashion mayinclude a memory or storage allocation, code modules, database files orlinkages, a processing capacity, or the like.

Referring now to FIG. 43, there are shown several variants of the flow500 of FIG. 5. Operation 580—displaying a portion of a datastructure—may (optionally) include one or more of the followingoperations: 4382, 4384, 4386, or 4387. Operation 590—deciding whether toupdate the data structure in response to an inter-core linkage and toinput received after displaying the portion of the data structure—maylikewise include one or more of the following operations: 4393, 4395,4398, or 4399.

Operation 4382 describes displaying one or more identifiers of aphysical object type in the portion of the data structure (e.g. viewselection logic 2363 showing one or more alphanumeric values 2364 suchas part numbers identifying components of an article of manufacture indata structure 2322). This can occur, for example, in embodiments inwhich interface module 2360 is configured to perform operation 580, inwhich decision module 2350 is configured to perform operation 590, andin which view selection logic accesses data structure portions such asDDO's 2380, SDO's 2385, or labels associated with them.

Operation 4384 describes displaying one or more cognitive symbols atleast partly based on one or more estimates from the data structure(e.g. data format logic 2365 showing decimal values or otherquantity-indicative symbols responsive to estimates 2234 arriving as adestination data object 2287). The symbols can reflect desired,required, or available product quantity estimates, for example, or acost or component quantity based upon them, many examples of which areavailable to those skilled in the art.

Operation 4386 describes plotting one or more variables at least partlybased on data from the data structure (e.g. plotting logic 2362 plottingone or more computations 2235 from tabular grid data 2236, in ahistogram or scatter plot). The variables or operands from whichcomputations 2235 are obtained can include destination data object 2287or linking data object 2284, for example.

Operation 4387 describes rendering a graphic image from the datastructure (e.g. drawing logic 2367 showing a bitmap or vector image astype 3 DDO 2383). The graphic image can be a direct copy from type 3 SDO2393, for example, or can be processed based on a local (prior) imageand editing or other image processing instructions in type 2 SDO 2392.

Operation 4393 describes requesting the inter-core linkage incorporatinga reference to a network address (e.g. linkage request logic 2354 askingfor an association between destination data objects 2380 locally andsource data objects 2390 at a remote IP address via physical linkage2311). The recipient of the request may be a local entity (e.g. linkmanagement module 2240) or a remote entity (e.g. in second network2300). In some embodiments, linkage request logic 2354 can first requesta remotely-managed linkage (by which a remote entity is responsible forupdating relationships in either or both directions), and absent apositive response, request a locally-managed linkage (by which a localentity updates the data relationship). Either of these entities canoptionally be configured to pull or push data to update or confirm thedata object relationship periodically or occasionally, for example.

Operation 4395 describes receiving via a network port a messageexplicitly signaling the inter-core linkage (e.g. message parser 2355receiving a web page or e-mail message indicating linkage 2311, such asby identifying channel 2310 or some other route between first network2200 and other entities). The explicit signal may comprise identifiersof the linked cores, for example, or a similar transport header or thelike. In various embodiments, this information can trigger the update,enable input-receiving circuitry, or otherwise be used in decidingwhether to update the data structure of operation 590.

Operation 4398 describes updating the data structure by delegating atask to a network resource (first delegation logic 2357 instructingsecond network 2300 or the like to accept type 2 SDO 2387 for use inupdating one or more destination data objects 2395). This can occur, forexample, in embodiments in which decision module 2350 is configured toperform operation 590 and in which such data objects are in the datastructure to be updated.

Operation 4399 describes displaying one or more cognitive symbolsidentifying the inter-core linkage via a user interface (e.g. displaycontrol logic 2368 sending words or other cognitive symbols 2369describing linkage 2311 to a screen display or other output devices2309). In some embodiments, the inter-core linkage can be identifiedmerely as “Current Inventory,” “Prices,” “Days to Completion,” or“Compositions” referring to data to be updated from SDO's 2385 to DDO's2395 (or from SDO's 2390 to DDO's 2380, e.g.). Many such text labelssufficient to distinguish such data object linkages from one anotherwill be apparent to those skilled in the art in light of teachingsherein.

Referring now to FIG. 44, there are shown several variants of the flow500 of FIG. 5 or 43. Operation 590—deciding whether to update the datastructure in response to an inter-core linkage and to input receivedafter displaying the portion of the data structure—may include one ormore of the following operations: 4491, 4493, 4497, or 4398. Operation4420—performing one or more additional operations—may include one ormore of the following operations: 4424, 4427, or 4429.

Operation 4491 describes participating in a handshaking operation acrossthe inter-core linkage (e.g. protocol logic 2352 initiating orresponding to a communication across linkage 2311). This can occur, forexample, in embodiments in which interface module 2360 can performoperation 580, in which decision module 2350 can perform operation 590(alone or in combination with interface 2307 or data manager module2220), and in which linkage 2311 includes one or more inter-corelinkages.

Operation 4493 describes updating the inter-core linkage (e.g. selectiveupdate logic 2351 retrieving data from SDO 2289 into DDO 2287, pushingdata from type 2 SDO 2387 to type 3 DDO 2397, or checking for changes atLDO 2284 or LDO 2286 to trigger a synchronization operation). This canoccur, for example, in embodiments in which at least decision module2350 performs operation 590, in which channel 2210 is operativelycoupled to channel 2310, and in which selective update logic 2351 cancontrol or access linkage 2288, linkage 2311, or linkage 2285, as shown.In some embodiments, operation 4493 is performed periodically (e.g. each5 to 500 milliseconds). Alternatively or additionally, selective updatelogic 2351 can be configured to respond to notifications received fromsome or all of the above-mentioned source or linking data objectsindicating a change in object contents.

Operation 4497 describes receiving at least one predictive value (secondinput device 2302 receiving an arrival time estimate, a weatherforecast, a resource availability or cost prediction or the like). Thiscan occur, for example, in embodiments in which interface 2307 anddecision module 2350 jointly perform operation 590 and in which aservice or product provider is trying to coordinate arrivals or othercontributions from several other providers.

Operation 4498 describes updating at least an element of the portion ofthe data structure responsive to the input received after displaying theportion of the data structure (update logic 2227 updating one or moreobjects in tabular data appnet 2250 responsive to input signifyingacceptance of a displayed proposal). In some embodiments update logic2227 can transmit a revised formula, for example, just typed into firstinput device 2301, so that some DDO's or formulae that depend from themeffectively incorporate the revised formula.

Operation 4420 describes performing one or more additional operations(e.g. data manager module 2320 or tabular data appnet 2250 performingone or more of operations 4424-4429). In some embodiments, deploymentmodule 2160 or other resources 2150 can effectively perform suchoperations, for example, by deploying one or more local or remote agentsconfigured to serve such a role within network 2300.

Operation 4424 describes receiving a substitute value for a displayedelement of the portion of the data structure (source data object 2282receiving a binary value of 11101101 from linking data object 2284 orfrom first input device 2301, e.g., as a substitute for anearlier-reported value of 00000000). In some embodiments, one or morenetworks are configured so that such a substitution results in asubstantially simultaneous update of more than one of (a) the displayedelement, (b) formulas in the data structure incorporating the element asan operand, or (c) remote values configured as DDO's or LDO's.

Operation 4427 describes receiving an indication of a remotely-generatedcomputation as the input received after displaying the portion of thedata structure (type 1 DDO 2381 receiving an updated checksum indicativeof a remote checksum value arriving at SDO 2391). This can occur, forexample, after one or more output devices 2309 display a portion of datastructure 2322 including, for example, labels identifying DDO 2381 asreflecting the checksum or other computation at SDO 2391. In someembodiments, configuring data manager module 2320 to receive suchcomputations (rather than voluminous raw data, e.g.) can reduce a burdencaused by maintaining data object linkages.

Operation 4429 describes receiving one or more instructions relating toone or more of the inter-core linkage, the data structure, or a decisionto update the data structure (e.g. message parser 1623 receiving one ormore modules containing instructions for servicing or updatinginter-core linkage 1685, for forming inter-core linkage to datastructure 1695, or for implementing decision module 1650). This canoccur, for example, in embodiments in which interface module 1660 canperform operation 580, in which decision module 1650 can performoperation 590, and in which decision module 1650 or receiving module1620 can perform operation 4420.

Referring now to FIG. 45, there are shown several variants of the flow600 of FIG. 6. Operation 610—obtaining an inter-core linkage inassociation with a tabular data object—may include one or more of thefollowing operations: 4511, 4513, 4515, or 4518. Operation 620—decidingwhether to update the tabular data object in response to the inter-corelinkage obtained in association with the tabular data object—may includeone or more of the following operations: 4523 or 4526.

Operation 4511 describes associating the inter-core linkage with thetabular data object (e.g. association logic 2271 mapping addresses orother handles 2203 to physical addresses 2204 of a data table containingtype 2 DDO 2397). Alternatively or additionally, one or more of thephysical addresses 2204 can identify a location of a data table (as type1 DDO 2396, e.g.). In some embodiments, association logic 2271 cansimilarly associate a single data object handle with a logical handleassociated with several physical addresses (e.g. by providing a tableentry containing a thumbnail or search term hit in a table entry thatalso contains a registered name of an internet domain within which thethumbnail or search term data was found).

Operation 4513 describes receiving at least a portion of the inter-corelinkage via a network linkage (e.g. receiving logic 2279 receiving ahyperlink or other object indicating a logical or physical address of anentity containing source data objects 2390 or destination data objects2395 through linkage 2311). Alternatively or additionally, receivinglogic 2279 can be configured to assemble, decode, parse, or otherwiseprocess portions of an address, envelope object, channel identifier orother received linkage feature into ports of the inter-core linkage.

Operation 4515 describes indicating at least a portion of the inter-corelinkage via a network linkage (e g linkage indication logic 2276transmitting a handle of core 2252 across linkage 2285 of tabular dataappnet 2250). Alternatively or additionally, linkage indication logic2276 can be configured to perform operation 4515 by authorizing linkagesbetween objects within data structures of first network 2200 and SDO's2390 or DDO's 2395. This can cause type 3 SDO 2393 to be linked to oneor more DDO's in data structures 2222, 2225 or tabular data grid 2236,for example.

Operation 4518 describes receiving a portion of the inter-core linkagewithin the tabular data object (e.g. record update logic 2272 includingfirst network access port linkage 2231 within tabular data object 2236).This can occur, for example, in embodiments in which tabular data object2236 is of a type that a spreadsheet or database application or the likecan interact with in a conventional manner, in which first networkaccess port linkage 2231 corresponds with a portion thereof such as acell or a rectangular range, and in which linkage module 2270 isconfigured to perform operation 610. The portion can comprise one ormore data objects that can refresh a remote data object (or vice versa)responsive to tabular data object 2236 being opened or closed, forexample, or during some interrupts or object activation events such aspulses from clock circuitry 2228.

Operation 4523 describes updating one or more destination data objectsin response to the inter-core linkage signaling a change in one or moresource data objects (e.g. destination update logic 2243 updating DDO2287 responsive to a pulse via second network access port linkage 2232).The pulse can signify new data becoming available among SDO's 2390, forexample, in a variant in which destination update logic 2243 requests orotherwise pulls the new data through linkage 2311. Alternatively oradditionally destination update logic 2243 can push or otherwisefacilitate a data update through linkage 2311 from type 1 SDO 2386 totype 3 DDO 2398. Those skilled in the art will recognize a variety ofconfigurations for implementing such variants without undueexperimentation, in light of the teachings in this document.

Operation 4526 describes sending an update across the inter-core linkageto the tabular data object (e.g. router 2244 and core 2252 jointlyupdating linking data object 2286 responsive to detecting a change inlinking data object 2284). This can occur, for example, in embodimentsin which link management module 2240 and tabular data appnet 2250jointly perform operation 620, in which linkage 2285 implements theinter-core linkage, and in which core 2253 implements at least thetabular data object. Alternatively or additionally, router 2244 can beconfigured for performing operation 4526 by sending update-containingmessages via linkage 2311.

Referring now to FIG. 46, there are shown several variants of the flow600 of FIG. 6 or 45. Operation 620—deciding whether to update thetabular data object in response to the inter-core linkage obtained inassociation with the tabular data object—may include one or more of thefollowing operations: 4624, 4627, or 4628. Operation 4650—performing oneor more additional operations—may include one or more of the followingoperations: 4654, 4657, or 4658.

Operation 4624 describes receiving a data structure via the inter-corelinkage (e.g. memory device 2224 receiving data structure 2225 via aninter-core linkage including channel 2210, channel 2310 and linkage2311. This can occur, for example, in embodiments in which linkagemodule 2270 is configured to perform operation 610, in which datastructure 2225 includes an array-type data structure of more than onedimension, and in which data manager module 2220 and decision module2350 can jointly perform operation 620. Many such embodiments aredescribed in this document.

Operation 4627 describes configuring an operation to depend at least onan operand linked via the inter-core linkage to a remote value (e.g.formula definition logic 2247 configuring formula update logic 2248 toupdate a cell in tabular data grid 2236 by multiplying type 1 SDO 2391with a scalar constant of “100”). Alternatively or additionally, formuladefinition logic 2247 can configure formula update logic 2248 toimplement one or more triggering criteria that control when such anupdate can occur. These variants can occur, for example, in embodimentsin which linkage module 2270 is configured to perform operation 610 andin which at least link management module 2240 is configured to performoperation 620.

Operation 4628 describes updating a result of the operation afterreceiving an update of the operand as user input (e.g. formula updatelogic 2248 updating the above-referenced cell in tabular data grid afterreceiving “5” as an updated value of type 1 SDO 2391). This can resultin the cell being updated, for example (e.g. from a prior value of 21 toa subsequent value of 35). This can occur, for example, in response to achange in the formula or to a change in operands (or both) being enteredat second input device 2302, in some embodiments. Alternatively oradditionally, indications of the user input or other changes canoriginally enter first network 2200 via second network 2300 in somevariants.

Operation 4654 describes displaying information about the inter-corelinkage responsive to an indication of an object that contains theinter-core linkage (e.g. implementation logic 2278 indicatingtransmitting an owner identifier, a creation date, location data, usagehistory, or other attributes describing linkage 2311 or a logicallinkage that includes it in response to an identifier of such a logicallinkage). Alternatively or additionally, the linkage-containing objectcan comprise a message or file including one or more estimates 2234,computations 2235, tabular data grid 2236 or the like. This can occur,for example, in embodiments in which linkage module 2270 is configuredto perform operation 4650.

Operation 4657 describes signaling one or more destination data objectsresponsive to a change in one or more source data objects of the tabulardata object (e.g. destination update logic 2243 maintaining linkage 2281by updating or otherwise notifying DDO 2280 in response to SDO 2282being changed or otherwise refreshed). This can occur, for example, invariants in which one or more fields of the tabular data object compriseSDO 2282, in which link management module 2240 performs operation 620,and in which one or more cores of tabular data appnet 2250 at leastpartially implement another instance of link management module 2240(e.g. one that can perform operation 4650).

Operation 4658 describes obtaining an update of the tabular data objectaccording to an arithmetic or logical formula definition received viathe inter-core linkage (e.g. second delegation logic 2358 obtaining anew value for use in tabular data grid 2236 by delegating a computationtask to core 1786). This can occur, for example, in an embodiment inwhich decision module 2350 performs operation 4650, in which subsystem2802 of FIG. 28 couples channel 2310 to core 1786 via passive media1712, in which the computation task includes determining whether2X+7<30, in which second delegation logic 2358 receives a signaldefining this formula via linkage 2311 and passes it to core 1786, andin which second delegation logic 2358 later passes a result of “TRUE” totabular data grid 2236. Alternatively or additionally, operation 4658can be performed with respect to tabular data objects in second network2300. Alternatively or additionally, in some embodiments, tabular datagrid 2236 can be configured to obtain computations 2235 directly withoutdelegation, for example in embodiments in which second network 2300 andnetwork 2800 are not included, and in which the operand values andformula definition (e.g. X=3 and 2X+7<30) are passed into tabular datagrid 2236.

Referring now to FIG. 47, there are shown several variants of the flow700 of FIG. 7. Operation 710—receiving information from a remote agentlocally—may include one or more of the following operations: 4712, 4714,4715, 4716, or 4719. Operation 720—responding to the locally receivedinformation from the remote agent by deciding whether to signal a changeof a security configuration of the remote agent—may include one or moreof the following operations: 4722, 4725, or 4727.

Operation 4712 describes receiving one or more processing environmentattributes as the information from the remote agent (e.g. coredescription registry 1921 or core status registry 1947 respectivelyreceiving a core configuration summary and a core status summary fromremote core 1985). Alternatively or additionally, in some embodiments,core description registry 1921 can receive core owner, manufacturer,model or revision identifier, size information or the like from remotecore 1985 about other cores. In variants in which subsystem 2802 andlinks 2819, 2450 are included, for example, such information candescribe remote subsystem 2490, for example. Alternatively oradditionally, in some variants, core status registry 1947 can likewisereceive a core availability status, a process name, a policyeffectuation list, a resource status summary, or the like from remotecore 1985 relating to remote subsystem 2490.

Operation 4714 describes receiving agent status information as theinformation from the remote agent (e.g. agent status registry 1943receiving from remote core 1985 an indication of a status of one or moreagents). This can occur, for example, in embodiments in which the one ormore agents comprise remote core 1985 or module 1758, in which receivingmodule 1920 performs operation 710, and in which linkage 1911 is atleast about 10 meters in length. (In some embodiments, a “remote”network element can be one that is coupled primarily with a “local” itemvia a signal-bearing channel containing such a linkage.)

Operation 4715 describes receiving resource status information as theinformation from the remote agent (e.g. resource status registry 1945receiving a status message about one or more resources 1796). This canoccur, for example, in embodiments in which subsystem 2802 coupleschannel 1910 with passive media 1712 and in which the remote agentcomprises module 1759 or some other entity in subsystem 1700 that can beremote from resource status registry 1945.

Operation 4716 describes receiving one or more service handles as theinformation from the remote agent (e.g. service handle registry 1929receiving a pointer, name, or other handle of one or more processes1794, resources 1796, or other controls in subsystem 1700). This canoccur, for example, in embodiments incorporating subsystem 2802 of FIG.28, in embodiments in which channel 1910 includes one or more passivemedia 1712, or in which channel 1910 is operatively coupled to one ormore passive media 1712.

Operation 4719 describes applying one or more criteria to a timingattribute of the information from the remote agent (e.g. timingcertification logic 1930 applying one or more arrival time limits 1935or other timing criteria 1934 to a message from remote core 1985).Alternatively or additionally, timing criteria 1934 may include whethera message defines a timing parameter (by including a timestamp, e.g.) orwhether the message transmission time was within about 1 minute of aninquiry time. An outcome of operation 4719 can be used in decidingwhether to retry an inquiry, whether to record an event, whether toinitiate a diagnostic, or whether to signal the security change ofoperation 710.

Operation 4722 describes deciding to signal the change of the securityconfiguration of the remote agent responsive to local user input (e.g.preference implementation logic 1654 signaling a security protocoldeactivation in response to a deactivation request from a user within avicinity of core 1680). Alternatively or additionally, one or more otherportions of decision module 1650 may be included in the same vicinityand operably coupled to act upon the input.

Operation 4725 describes causing the change of the securityconfiguration of the remote agent responsive to the locally receivedinformation from the remote agent (e.g. security control logic 1656responding to a signal from remote agents 1692 in core 1690 bytransmitting instructions for adding a security protocol to one or moreof the remote agents 1692). This can occur, for example, in contexts inwhich core 1680 is local, in which core 1690 includes remote agents 1692remote from core 1680, and in which decision module 1650 performsoperation 720. Alternatively or additionally, the security protocol tobe added can be a replacement or other upgrade, optionally changed bysending a task request (pull or install, e.g.) to one or more of theremote agents 1692.

Operation 4727 describes storing an indication of the change of thesecurity configuration of the remote agent responsive to the locallyreceived information from the remote agent (e.g. security configurationchange monitor 1651 recording indications of a requested, intended,available, completed, rejected, or other security configuration change).Alternatively or additionally, the change indication can includeinformation relating to the change such as version numbers, eventtimestamps, threat indicators 1658 or the like.

Referring now to FIG. 48, there are shown several variants of the flow700 of FIG. 7 or 47. Operation 710—receiving information from a remoteagent locally: 4812, 4818, or 4819. Operation 4850—performing one ormore additional operations—may include one or more of the followingoperations: 4853, 4855, 4856, or 4858.

Operation 4812 describes requesting data from the remote agent (e.g.data request logic 1937 requesting a heartbeat, a self-identification, astatus update, request 1659, one or more data objects 1696 or the likefrom remote agents 1692, in some variants). The request can (optionally)include one or more of an address or other identifier of core 1680, anidentifier of core 1690, a substantive description of the datarequested, executable instructions for acting on the request or thelike.

Operation 4818 describes receiving status information as the informationfrom the remote agent (e.g. status registry 1940 receiving core status,available resource capacity, control status, or the like). This canoccur, for example, in embodiments in which at least status registry1940 is local, in which the status information relates to the remoteagent or other software, and in which at least some of receiving module1920 performs operation 710. Alternatively or additionally, in someembodiments, the information may include an inference from an aspect ofthe remote agent, an event relating to the remote agent, or otherwise inwhich the remote agent is not a sender of the information.

Operation 4819 describes receiving the information from the remote agentat least partly through a wireless medium (e.g. antenna 1969 receivingthe information from one or more remote agents 1692 via linkage 1911).This can occur, for example, in embodiments in which channel 1610 isoperatively coupled with local subsystem 1901 along channel 1910 vialinkage 1911, in which linkage 1911 is a wireless linkage, and in whichat least a portion of resource module 1960 performs operation 710.

Operation 4853 describes deciding whether to authorize a transactionresponsive to the locally received information from the remote agent(e.g. transaction authorization logic 1962 generating a decision byapplying one or more authorization criteria 1963 to the locally receivedinformation). The information can include a proposed start time, one ormore transaction cost or benefit indications (e.g. a duration or anamount of currency), a level or substantive type of authority needed, orother transaction descriptors, for example. Those skilled in the artwill recognize how each of these factors can be used in operation 4853,in light of these teachings. The proposed start time can warrant anaffirmative decision within about an hour of that time, for example, ora timing-conditional authorization in response to a description of aproposed transaction having a low cost or a high expected benefit.

Operation 4855 describes receiving information from one or more otheragents (e.g. network interface 1961 or subsystem 2802 receiving datafrom module 1751 as well as module 1758). This can occur, for example,whether module 1751 is remote or local to network interface 1961, inembodiments in which modules 1751, 1758 comprise a combination ofhardware and software agents, in which resource module 1960 isconfigured to perform operation 4850, and in which receiver 2875performs operation 710.

Operation 4856 describes deciding whether to signal a change of a localsecurity configuration responsive to the locally received informationfrom the remote agent (e.g. intrusion response logic 1965 deciding tomodify one or more authorization criteria 1963 responsive to a warningor request from module 1758). This can occur, for example, inembodiments in which transaction authorization logic 1962 controls asecurity policy of resource module 1960 in a vicinity in which operation710 has been performed.

Operation 4858 describes transmitting a response to the locally receivedinformation from the remote agent (e.g. routing logic 1968 transmittingan acknowledgment or other notification to the remote agent, a zonalaggregator, or the like). The target recipient can include subsystem2802, a relay node or the like, in some embodiments. Alternatively oradditionally, the response can evaluate, summarize or otherwisesubstantively indicate the locally received information.

Referring now to FIG. 49, there are shown several variants of the flow700 of FIG. 7, 48, or 49. Operation 710—receiving information from aremote agent locally—may include one or more of the followingoperations: 4912, 4914, or 4916. Operation 720—responding to the locallyreceived information from the remote agent by deciding whether to signala change of a security configuration of the remote agent—may include oneor more of the following operations: 4921, 4925, or 4926. Alternativelyor additionally, flow 700 may include other features such as operation4976 as shown.

Operation 4912 describes receiving a location history via the remoteagent as the locally received information (e.g. zonal registry 1922receiving a list of locations module 1755 has visited or a list oflocations from which module 1755 has received signals). The list(s) oflocations can be comprehensive, sampled, selected according to one ormore criteria or the like, in some embodiments. This can occur, forexample, in embodiments in which channel 1910 is directly or indirectlycoupled with passive media 1712 and channel 2310, in which receivingmodule 1920 performs operation 710, and in which decision module 2350 orfirst decision circuitry 2878 performs operation 720.

Operation 4914 describes receiving a cost-indicative value as thelocally received information (e.g. cost registry 1924 receivingindications of time, work, money, storage or other quantities of aburden associated with adding or removing a security policy at theremote agent). The information may include a message or other signalarriving as a request or instruction that includes the value, forexample, or a formula or other mechanism for obtaining it, in someembodiments.

Operation 4916 describes receiving at least an indication of a sourcedata object as the locally received information (e.g. unpacking logic1926 receiving via linkage 2311 an envelope object 1927 containing,referring to or otherwise indicating one or more of SDO's 2390 or SDO's2385). The SDO's can comprise remote or local objects, for example, thatare each existing or suggested by the information.

Operation 4921 describes signaling a change of an integrity policy asthe change of the security configuration of the remote agent (e.g.integrity policy update logic 1653 relaxing or removing one or more dataintegrity or transaction integrity policies in use for broker agent).Alternatively or additionally, the policies can relate to a contentdelivery agent, a synthesizing agent, a research agent, a stationaryagent or the like.

Operation 4925 describes deciding to signal at least a partial securityincrease as the change of the security configuration of the remote agent(e.g. remote security logic 1657 responding to one or more threatindicators 1658 by signaling a firewall or other new security protocolto be implemented at the remote agent). Alternatively or additionally,the partial security increase may comprise at least removing a partialsecurity threat such as a suspect agent observable by the remote agent.

Operation 4926 describes deciding to authorize an action as the changeof the security configuration of the remote agent (e.g. security controllogic 1656 authorizing a purchase or allocation by remote agents 1692 inresponse to request 1659). This can occur, for example, in embodimentsin which message parser 1623 receives request 1659 (from remote agents1692, e.g.) for one or more remote agents 1692 to be authorized to buyor otherwise obtain on behalf of an owner of or user at interface module1660 (not shown). In some embodiments, security control logic 1656 canbe configured to manifest an affirmative decision by transmitting anauthorization for the one or more actions comprising the securityconfiguration change. Those skilled in the art will recognize a varietyof factors and criteria for use in reaching the decision(s) in light ofthese teachings.

Operation 4976 describes causing a processing core securityconfiguration change including more than the change of the securityconfiguration of the remote agent (e.g. operating system upgrade logic1997 causing, at the remote agent, a substitution of a differentoperating system having a substantially different security protocol).Alternatively or additionally, the processing core securityconfiguration change can include a change in the configuration ofseveral local processing cores.

In regard to the above-referenced methods, those skilled in the art willrecognize that a network can include more than one instance of circuitryconfigured to perform the above-described flow variants. Likewise somesubsystems can coordinate their operation so that respective elementsthereof can perform such variants in succession, in alternation,conditionally, or simultaneously. In some embodiments incorporating FIG.28, for example, first signaling module 2410, signaling module 2701, orASR 2866 can each be configured to perform a respective instance ofoperation 210. Likewise second signaling module 2420 or signalingcircuitry 2868 can each be configured to perform a respective instanceof operation 220 as described above. Alternatively or additionally,network 2800 can be configured so that aggregation module 2702 oraggregation circuitry 2871 can each be configured to perform arespective instance of operation 450. Likewise transmission module 2703or transmitter 2874 can each be configured to perform a respectiveinstance of operation 460 as described above.

Alternatively or additionally, network 2800 can be configured so thatmore than one instance of interface module 2360 or interface 2607 caneach be configured to perform a respective instance of operation 580.Likewise decision module 2350 or first decision circuitry 2878 can eachbe configured to perform a respective instance of operation 590 asdescribed above. Alternatively or additionally, network 2800 can beconfigured so that linkage module 2270 or linkage circuitry 2881 caneach be configured to perform a respective instance of operation 610.Likewise linkage management module 2240, decision module 2350, linkagemanagement circuitry 2882 or the like can each be configured to performa respective instance of operation 620 as described above.

Alternatively or additionally, network 2800 can be configured so thatreceiving module 1620 or receiver 2875 can each be configured to performa respective instance of operation 710. Likewise decision module 1650 orsecond decision circuitry 2879 can each be configured to perform arespective instance of operation 720 as described above. Alternativelyor additionally, network 2800 can be configured so that agentconfiguration module 2580 or agent configuration circuitry 2893 can eachbe configured to perform a respective instance of operation 880.Likewise agent deployment module 2590 or agent deployment circuitry 2894can each be configured to perform a respective instance of operation 890as described above. Alternatively or additionally, network 2800 can beconfigured so that policy association module 2130 or policy associationcircuitry 2897 can each be configured to perform a respective instanceof operation 960. Likewise evaluation module 2170 or evaluationcircuitry 2898 can each be configured to perform a respective instanceof operation 970 as described above.

It will be understood that variations in technical or business modelsrelating to the technologies described herein may prove advantageous,for example in situations in which an information systems consultant orother service provider acts for the benefit of one or more clients orinterests to achieve such technologies collectively. Such arrangementscan facilitate organizational or tool specialization and costeffectiveness, for example, across distributed networks in the globalmarketplace. Those skilled in the art will recognize that suchbeneficial interaction creates a commercial web constituting a single defacto entity of two or more interacting participants cooperativelyimplementing the teachings herein, within the scope and spirit of theclaimed invention.

Those having skill in the art will recognize that the state of the arthas progressed to the point where there is little distinction leftbetween hardware and software implementations of aspects of systems; theuse of hardware or software is generally (but not always, in that incertain contexts the choice between hardware and software can becomesignificant) a design choice representing cost vs. efficiency tradeoffs.Those having skill in the art will appreciate that there are variousvehicles by which processes and/or systems and/or other technologiesdescribed herein can be effected (e.g., hardware, software, and/orfirmware), and that the preferred vehicle will vary with the context inwhich the processes and/or systems and/or other technologies aredeployed. For example, if an implementer determines that speed andaccuracy are paramount, the implementer may opt for a mainly hardwareand/or firmware vehicle; alternatively, if flexibility is paramount, theimplementer may opt for a mainly software implementation; or, yet againalternatively, the implementer may opt for some combination of hardware,software, and/or firmware. Hence, there are several possible vehicles bywhich the processes and/or devices and/or other technologies describedherein may be effected, none of which is inherently superior to theother in that any vehicle to be utilized is a choice dependent upon thecontext in which the vehicle will be deployed and the specific concerns(e.g., speed, flexibility, or predictability) of the implementer, any ofwhich may vary. Those skilled in the art will recognize that opticalaspects of implementations will typically employ optically-orientedhardware, software, and or firmware.

The foregoing detailed description has set forth various embodiments ofthe devices and/or processes via the use of block diagrams, flowcharts,and/or examples. Insofar as such block diagrams, flowcharts, and/orexamples contain one or more functions and/or operations, it will beunderstood by those within the art that each function and/or operationwithin such block diagrams, flowcharts, or examples can be implemented,individually and/or collectively, by a wide range of hardware, software,firmware, or virtually any combination thereof. In one embodiment,several portions of the subject matter described herein may beimplemented via Application Specific Integrated Circuits (ASICs), FieldProgrammable Gate Arrays (FPGAs), digital signal processors (DSPs), orother integrated formats. However, those skilled in the art willrecognize that some aspects of the embodiments disclosed herein, inwhole or in part, can be equivalently implemented in integratedcircuits, as one or more computer programs running on one or morecomputers (e.g., as one or more programs running on one or more computersystems), as one or more programs running on one or more processors(e.g., as one or more programs running on one or more microprocessors),as firmware, or as virtually any combination thereof, and that designingthe circuitry and/or writing the code for the software and or firmwarewould be well within the skill of one of skill in the art in light ofthis disclosure. In addition, those skilled in the art will appreciatethat the mechanisms of the subject matter described herein are capableof being distributed as a program product in a variety of forms, andthat an illustrative embodiment of the subject matter described hereinapplies regardless of the particular type of signal bearing medium usedto actually carry out the distribution. Examples of a signal bearingmedium include, but are not limited to, the following: a recordable typemedium such as a floppy disk, a hard disk drive, a Compact Disc (CD), aDigital Video Disk (DVD), a digital tape, a computer memory, etc.; and atransmission type medium such as a digital and/or an analogcommunication medium (e.g., a fiber optic cable, a waveguide, a wiredcommunications link, a wireless communication link, etc.).

While particular aspects of the present subject matter described hereinhave been shown and described, it will be apparent to those skilled inthe art that, based upon the teachings herein, changes and modificationsmay be made without departing from this subject matter described hereinand its broader aspects and, therefore, the appended claims are toencompass within their scope all such changes and modifications as arewithin the true spirit and scope of this subject matter describedherein.

While various aspects and embodiments have been disclosed herein, otheraspects and embodiments will be apparent to those skilled in the art.The various aspects and embodiments disclosed herein are for purposes ofillustration and are not intended to be limiting, with the true scopeand spirit being indicated by the following claims.

It will be understood by those within the art that, in general, termsused herein, and especially in the appended claims (e.g., bodies of theappended claims) are generally intended as “open” terms (e.g., the term“including” should be interpreted as “including but not limited to,” theterm “having” should be interpreted as “having at least,” the term“includes” should be interpreted as “includes but is not limited to,”etc.). It will be further understood by those within the art that if aspecific number of an introduced claim recitation is intended, such anintent will be explicitly recited in the claim, and in the absence ofsuch recitation no such intent is present. For example, as an aid tounderstanding, the following appended claims may contain usage of theintroductory phrases “at least one” and “one or more” to introduce claimrecitations. However, the use of such phrases should not be construed toimply that the introduction of a claim recitation by the indefinitearticles “a” or “an” limits any particular claim containing suchintroduced claim recitation to inventions containing only one suchrecitation, even when the same claim includes the introductory phrases“one or more” or “at least one” and indefinite articles such as “a” or“an” (e.g., “a” and/or “an” should typically be interpreted to mean “atleast one” or “one or more”); the same holds true for the use ofdefinite articles used to introduce claim recitations. In addition, evenif a specific number of an introduced claim recitation is explicitlyrecited, those skilled in the art will recognize that such recitationshould typically be interpreted to mean at least the recited number(e.g., the bare recitation of “two recitations,” without othermodifiers, typically means at least two recitations, or two or morerecitations). Furthermore, in those instances where a conventionanalogous to “at least one of A, B, and C, etc.” is used, in generalsuch a construction is intended in the sense one having skill in the artwould understand the convention (e.g., “a system having at least one ofA, B, and C” would include but not be limited to systems that have Aalone, B alone, C alone, A and B together, A and C together, B and Ctogether, and/or A, B, and C together, etc.). In those instances where aconvention analogous to “at least one of A, B, or C, etc.” is used, ingeneral such a construction is intended in the sense one having skill inthe art would understand the convention (e.g., “a system having at leastone of A, B, or C” would include but not be limited to systems that haveA alone, B alone, C alone, A and B together, A and C together, B and Ctogether, and/or A, B, and C together, etc.). It will be furtherunderstood by those within the art that any disjunctive word and/orphrase presenting two or more alternative terms, whether in thedescription, claims, or drawings, should be understood to contemplatethe possibilities of including one of the terms, either of the terms, orboth terms. For example, the phrase “A or B” will be understood toinclude the possibilities of “A” or “B” or “A and B.” Moreover, “can”and “optionally” and other permissive terms are used herein fordescribing optional features of various embodiments. These termslikewise describe selectable or configurable features generally, unlessthe context dictates otherwise.

The herein described aspects depict different components containedwithin, or connected with, different other components. It is to beunderstood that such depicted architectures are merely exemplary, andthat in fact many other architectures can be implemented which achievethe same functionality. In a conceptual sense, any arrangement ofcomponents to achieve the same functionality is effectively “associated”such that the desired functionality is achieved. Hence, any twocomponents herein combined to achieve a particular functionality can beseen as “associated with” each other such that the desired functionalityis achieved, irrespective of architectures or intermedial components.Likewise, any two components so associated can also be viewed as being“operably connected,” or “operably coupled,” to each other to achievethe desired functionality. Any two components capable of being soassociated can also be viewed as being “operably couplable” to eachother to achieve the desired functionality. Specific examples ofoperably couplable include but are not limited to physically mateableand/or physically interacting components and/or wirelessly.

What is claimed is:
 1. A network subsystem comprising: means forassociating a first mobile agent with a first security policy and asecond mobile agent with a second security policy; and means forevaluating a received message at least in response to an indication ofthe first security policy and to an indication of the second securitypolicy including at least means for broadcasting one or more inquiriesrelating to at least one of the first security policy or the secondsecurity policy in use in one or more processing cores.
 2. The networksubsystem of claim 1 in which the means for associating a first mobileagent with a first security policy and a second mobile agent with asecond security policy comprises: at least one of: means for activatingthe first security policy at least in the first mobile agent; means forcausing the second security policy to include one or more integritypolicies; means for associating the first security policy at least withthe first mobile agent and with the second mobile agent; or means forconfiguring the first mobile agent with one or more instructions able tocause the first mobile agent to transmit an indicator of the firstsecurity policy.
 3. The network subsystem of claim 1 in which the meansfor evaluating a received message at least in response to an indicationof the first security policy and to an indication of the second securitypolicy comprises: at least one of: means for receiving a level indicatoras the indication of the first security policy or the indication of thesecond security policy; means for requesting the indication of the firstsecurity policy; means for distilling from the received message at leastan affirmative indication as one or more of the indication of the firstsecurity policy or the indication of the second security policy; meansfor deciding whether to enable a triggering circuit in response to theindication of the second security policy; or means for evaluating asignal containing the received message.
 4. The network subsystem ofclaim 1 in which the means for evaluating a received message at least inresponse to an indication of the first security policy and to anindication of the second security policy comprises: means for obtainingan identifier of the second mobile agent; and means for determining theindication of the second security policy responsive to the identifier ofthe second mobile agent.
 5. The network subsystem of claim 1 furthercomprising: means for deploying the first mobile agent remotely.
 6. Thenetwork subsystem of claim 1 further comprising: means for deploying atleast the second security policy to the first mobile agent.
 7. Thenetwork subsystem of claim 1 in which the means for evaluating areceived message at least in response to an indication of the firstsecurity policy and to an indication of the second security policycomprises: means for requesting the indication of the first securitypolicy; means for distilling from the received message at least anaffirmative indication as one or more of the indication of the firstsecurity policy or the indication of the second security policy; meansfor determining the indication of the second security policy responsiveto the obtained identifier of the second mobile agent; and means fortransmitting a yes-or-no decision of whether to enable a triggeringcircuit in response to the indication of the second security policy. 8.The network subsystem of claim 7 further comprising: one or more userinterfaces operably coupled with the means for evaluating a receivedmessage at least in response to an indication of the first securitypolicy and to an indication of the second security policy; and means fordeploying at least the first mobile agent remotely via the second mobileagent.
 9. The network subsystem of claim 1 in which the means forassociating a first mobile agent with a first security policy and asecond mobile agent with a second security policy comprises: means forcausing the first security policy to include one or more confidentialitypolicies; means for activating the first security policy at least in thefirst mobile agent; means for associating the first security policy atleast with the first mobile agent and with the second mobile agent;means for configuring the first mobile agent with one or moreinstructions able to cause the first mobile agent to transmit anindicator of the first security policy; means for causing the secondsecurity policy to include one or more integrity policies; and means forconfiguring the second mobile agent with one or more instructions ableto cause the second mobile agent to transmit at least a portion of thesecond security policy.
 10. The network subsystem of claim 9 in whichthe means for evaluating a received message at least in response to anindication of the first security policy and to an indication of thesecond security policy comprises: means for evaluating the receivedmessage at least partly as a roughly contemporaneous response toreceiving the indication of the first security policy; means forreceiving a level indicator as the indication of the first securitypolicy or the indication of the second security policy; means forobtaining an identifier of the second mobile agent; means fordetermining the indication of the second security policy responsive tothe obtained identifier of the second mobile agent; and means fortransmitting a yes-or-no decision of whether to enable a triggeringcircuit in response to the indication of the second security policy. 11.A network subsystem comprising: an agent configuration module operablefor providing a first agent with code for responding to situationalinformation about the first agent and about a second agent; a securityprotocol update module operable for modifying one or more securitypolicies of one or more of the first agent or the second agent operatingin one or more processing cores; and an agent deployment module operablefor deploying the first agent.
 12. A network subsystem comprising: apolicy association module for associating a first mobile agent with afirst security policy and a second mobile agent with a second securitypolicy; and an evaluation module for evaluating a received message atleast in response to an indication of the first security policy and toan indication of the second security policy including at leastdistilling from the received message at least one of an affirmativeindication of security policy activation or a negative indication ofsecurity policy deactivation as one or more of the first security policyor the second security policy operating in one or more processing cores.13. A network subsystem comprising: associating circuitry forassociating a first mobile agent with a first security policy and asecond mobile agent with a second security policy; and evaluationcircuitry for evaluating a received message at least in response to anindication of the first security policy and to an indication of thesecond security policy, the evaluation circuitry including at least:circuitry for requesting the indication of the first security policy;circuitry for receiving a level indicator as the indication of the firstsecurity policy or the indication of the second security policy;circuitry for deciding whether to enable a triggering circuit inresponse to the indication of the second security policy; and circuitryfor updating at least one of the first security policy or the secondsecurity policy responsive to one or more inquiries relating to at leastone of the first security policy or the second security policy operatingin one or more processing cores.
 14. The network subsystem of claim 1 inwhich the means for evaluating a received message at least in responseto an indication of the first security policy and to an indication ofthe second security policy comprises: means for obtaining one or morerisk indicators in situational information about the first mobile agentand the second mobile agent.
 15. The network subsystem of claim 1 inwhich the means for evaluating a received message at least in responseto an indication of the first security policy and to an indication ofthe second security policy comprises: means for evaluating the receivedmessage at least in response to a timing indicator defined in thereceived message.
 16. The network subsystem of claim 1 in which themeans for evaluating a received message at least in response to anindication of the first security policy and to an indication of thesecond security policy comprises: means for updating at least one of thefirst security policy or the second security policy in response to atleast one signal to change a security configuration of at least one ofthe first mobile agent or the second mobile agent.
 17. The networksubsystem of claim 1 in which the means for evaluating a receivedmessage at least in response to an indication of the first securitypolicy and to an indication of the second security policy comprises:means for updating at least one of the first security policy or thesecond security policy in response to information received from at leastone of the first mobile agent or the second mobile agent.
 18. Thenetwork subsystem of claim 1 in which the means for evaluating areceived message at least in response to an indication of the firstsecurity policy and to an indication of the second security policycomprises: means for updating at least one of the first security policyor the second security policy in response to a cost-indicative valueindicating a burden associated with adding or removing a securitycriterion received from at least one of the first mobile agent or thesecond mobile agent.
 19. The network subsystem of claim 1 in which themeans for evaluating a received message at least in response to anindication of the first security policy and to an indication of thesecond security policy comprises: means for substituting a differentoperating system having a substantially different security protocol inresponse to at least one signal to change a security configuration of atleast one of the first mobile agent or the second mobile agent.
 20. Thenetwork subsystem of claim 1 in which the means for evaluating areceived message at least in response to an indication of the firstsecurity policy and to an indication of the second security policycomprises: means for evaluating a received message at least in responseto an indication of the first security policy and to an indication ofthe second security policy including at least distilling from thereceived message at least one of an affirmative indication of securitypolicy activation or a negative indication of security policydeactivation as one or more of the first security policy or the secondsecurity policy.
 21. The network subsystem of claim 1 in which the meansfor evaluating a received message at least in response to an indicationof the first security policy and to an indication of the second securitypolicy comprises: means for updating at least one of the first securitypolicy or the second security policy responsive to one or more inquiriesrelating to at least one of the first security policy or the secondsecurity policy.